After upgrading to 11.6, when Enforce Users are prompted to change their password because it has expired, any password they enter is not accepted and it returns back to the dialog asking for the password to be reset.
There is a known defect in 11.6, etrack 2985614. We introduced a default role concept in 11.1 and every user in Enforce needs a default role assigned to it.
The users that existed before the upgrade to 11.1 will not have a default role and there is a validation added in 11.6 which checks if the user logged in has a default role and if not it fails the validation leaving the user unable to change password on the password renewal page.
The solution is to run the attached script.sql.
1. Download the attached script.sql
2. Login to SQL*Plus as the protect user (or whichever is the schema owner) and compile the SQL files.
3. To verify that all users have been assigned a default role, run the following query:
Select UserId, Name, DefaultRoleId FROM ProtectUser WHERE DefaultRoleId IS NULL AND IsDeleted=0;
Note: a default role will not apply for two users ‘Administrator’ and ‘internal system user’. If there are other users that have no default role, try step 2 again. Otherwise, go into Enforce and modify these users to have a default role.
4. Users should now able to reset their passwords.