Password update requests are structured differently based on whether the password update is a self change or an administrative change. The PUT /environments/{environmentId}/users/{userId}/password endpoint is called in both cases, but the request body for the self-change operation requires a value for the currentPassword attribute while the administrative-change operation does not. Both operations use application/vnd.pingidentity.password.reset+json as the content type in the request header.

Note: For an administrative reset, the password becomes unlocked, but other account lockout mechanisms are not unlocked. For example, if the account has been locked through an explicit application/vnd.pingidentity.account.lock+json request on the user, the account will still be locked after administrative reset.

Administrative-change password update

The sample shows the PUT /environments/{environmentId}/users/{userId}/password operation to execute an administrative-change reset of the password identified by the user ID and environment ID.

In the request body, the newPassword attribute specifies the new password assigned to this user by the administrator. For a successful administrator-change update, the status attribute value is changed to MUST_CHANGE_PASSWORD. Note that this assigned temporary password is not validated against the current password policy.