Articles in this section

See more

Why Does My User Profile Say “This User Is Managed by Centralized Identity”?

Follow

Overview

After a recent PayClock Online release, some administrators noticed that user profiles now show the message “This user is managed by centralized identity,” and the option to reset the user’s password is no longer available on the record. This article explains what the message means, why the password reset option has changed, and what to do next.

Short answer

“Centralized identity” here refers to PayClock Online’s own new User Identity feature — it does not mean an external identity provider (such as Microsoft Entra, Okta, or Google) has been connected to your account. No external IDP can be linked to PayClock Online at this time. Affected users now reset their own passwords using the Forgot Password link on the PayClock Online login page.

 

What “Managed by Centralized Identity” Actually Means

PayClock Online recently introduced User Identity — a feature that lets a user sign in with a single email address and password across multiple PayClock Online accounts. When a user or employee becomes a User Identity, two things change on their record:

  • The Username and Password fields are removed from the profile.
  • The message “This user is managed by centralized identity” is shown in their place, along with the Last Logged In date and time.

This is the expected, by-design appearance of a User Identity record in PayClock Online. The user’s password is no longer stored on the record — it was set by the user themselves when they approved their email verification — so there is nothing for an administrator to reset from the record.

This is not an external identity provider

PayClock Online does not currently support connecting to a third-party identity provider such as Microsoft Entra ID, Okta, Google, or Active Directory. If your records now show this message, it means those users have been converted to PayClock Online’s built-in User Identity model — not that an outside system has been linked to your account.

 

Why Did My Users Get Converted?

A user or employee record only converts to a User Identity when one of the following actions takes place — and the user approves the resulting verification email:

  • The user’s or employee’s email address was changed on their record.
  • Web Portal or Mobile App access was turned on or changed for the record.
  • A new user or employee with an email and access was created (new records are User Identity from the start).
  • New customer accounts created after the release are User Identity from day one — there is no separate cutover.

In each case, PayClock Online sends the user a verification email. The record only becomes a User Identity after the user clicks the link and approves it — the conversion is not silent and not done in bulk to existing records.

 

How to Reset a User Identity Password

Once a user is a User Identity, their password is reset by the user using the Forgot Password link on the PayClock Online login page. Lathem Support can no longer reset passwords for User Identity accounts.

If the user can access their email

  1. Go to the PayClock Online login page.
  2. Click Forgot Password.
  3. Enter the email address on the user’s record.
  4. Open the password reset email and follow the link to set a new password.
  5. Log in with the email address and the new password.

If the user no longer has access to that email address

The user can update their own email address from inside PayClock Online (User menu → Change My Email Address), as long as they can still log in. If they cannot log in and cannot receive the reset email, a secondary user or employee can contact the primary PayClock Online Admin to change their email. If the primary PayClock Admin needs to change their email address and cannot access their account, they will need to contact Lathem Technical Support and we can help correct the email on file.

 

What Administrators Can and Cannot Do for User Identity Records

Can do

  • View the user’s record, role, access, departments, and Last Logged In timestamp.
  • Resend the email verification link from the employee record (Resend Email Verification button), if the user never approved the original verification.
  • Change a user’s access, role, or assignments as normal.
  • Make a user inactive or delete the user as normal.

Cannot do

  • Set or reset the password directly on the user’s record.
  • Change the user’s email address on the record without triggering a new verification email to the user.

Why the change?

Because a User Identity password is shared across every PayClock Online account that user is associated with, only the user can set it. This prevents an administrator on one account from changing a credential that also controls access to other accounts.

 

Records That Are Not Yet User Identity

Users and employees who have not been converted continue to work exactly as before — they show Username and Password fields, and an administrator can reset their password as usual. A record only converts when one of the triggering actions above takes place and the user approves the verification email.

Related articles

Comments

0 comments

Article is closed for comments.