SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
New Contributor
New Contributor

How to provide On-Demand Pin for a selective 10- 50 users

How to provide On-Demand Pin for a selective 10- 50 users, as we can see the Enable users give all the users in Alphabetical order and there is no criteria to search for particular few users to provide ODA.

Labels (1)
11 Replies

You can use Authentication Manager Bulk Admin EODA on command line, and input a .csv file with userid's and pins:


Enable OnDemand Authentication
This command enables an OnDemand Authenticator for a principal. A PIN may be
assigned or system generated. Some field names are duplicates of field names used for
token management but may have slightly different usage. Consult this guide and the
RSA Authentication Manager Help for the correct definition of ODA command fields.
Results are written to the AMBA results file. Use the CRFN command to change the
results file path and name.

Action EODA
Required Fields DefLogin, PINIndicator, SetPin*

Optional Fields IdentitySource, SecurityDomain, InstanceName, PinMode*,
ExpiryDate, DeliveryMethod, DestinationAddress*,
TemplateFile, OutputOption
* These fields are ignored when PINIndicator is set to GENERATE_PIN.

New Contributor
New Contributor

Hi Edward,


Thanks for your reply,  can you please provide any steps or a screenshot where I can find the  Authentication Manager Bulk Admin and to enter the EODA in the Command Line. Any steps or a document that you can share it to me would be great full to learn the procedure to provide ODA in bulk.

Respected Contributor Respected Contributor
Respected Contributor

AMBA is included with AM 8.2 and later, but it does require an enterprise license.  Full documentation of AMBA functions and features, command line syntax, and sample AMBA scripts is available here (part of the standard RSA documentation set for Authentication Manager): 

Trusted Contributor Trusted Contributor
Trusted Contributor

Are you using Security Domains to scope administrative data?


You could move the users to a sub-Security Domain and use the Security Domain filter to just select the users that are trying On-Demand. AM allows the administrator to create a Security Domain hierarchy.


There are currently four user attributes that can be used to filter search results. I would be interested to hear which other attributes would be useful.


Of course, I would also recommend you take a look at the RSA SecurID Access Cloud Authentication Service. This provides a policy-driven, multi-factor, cloud-based authentication service (including SMS OTP) and integrates with your on-premises RSA SecurID Authentication Manager.

New Contributor
New Contributor

Hi Piers,


Thanks for your valuable comments, the console can be searched the users one by one and only can be moved to  a sub omain, that actually a time consuming than providing OD-Pin individually.

New Contributor
New Contributor

Hi Piers,


Can you help me in solving a error message issue which appears while replacing a soft token on the existing hard token in RSA Self Service Portal when clicked replace token button.


Error message as "Error message From Server Details-> Original token already have an replacement  soft token"


We tried in different browser and cleared cookies worked for few users but i hope that's not the solution, few users still remain the same error message.


Can you please advise in solving the permanent issue.

Employee (Retired) Employee (Retired)
Employee (Retired)

Raja S‌,


I came across a thread from April ( where another customer reported a similar error of original token XXXXXXXXXX already has a replacement token.


The TSE's response was that the customer needs to open a case with RSA Customer Support, and "specifically ask for the remedy in AM-29999. It will be some SQL deletes, but we need to mine your database for the possibility of more offending tokens you have not run into yet."




Apprised Contributor Apprised Contributor
Apprised Contributor


Do you know if you use AMIS or AM Prime with Authentication Manager?

If a token had been assigned a replacement token, you should be able to see that replacement token in the Security Console, but as Erica pointed out, there was another forum question on (and a related Support case) about this particular problem, and we had to look in the internal postgres database to see the 'partially' assigned replacement token serial number.  This should not have happened, the suspicion is some integrity check was lacking through either a custom admin API application or in an older version of AMIS, the Authentication Manager Integration Service that RSA Professional Services wrote to extend the capabilities of Authentication Manager.


Hi Erica,


Thanks for your prompt reply.


We have also checked if there's any token replacement request already in place while replacing a soft token but none were in RSA Console.


Temporarily we had to reset the user profile and tried with a replacement so it worked, but that was not advisable just for assigning a token reset won't work for other user facing same issue.