Feature #1384
closed
Support "Password never expires"
100%
Description
Please add a new checkbox "Password never expires" to the user detail. If this checkbox is checked, then the password of that user doesn't expire, even if password policy specifies maximum password age.
If the checkbox is unchecked, then maximum password age applies for the user.
This checkbox can be changed only by administrators with special authorization, e.g. APP_ADMIN. Changes of this property are audited in the audit log for identities.
When "admin" identity is created during the first initialization of CzechIdM, the value of "Password never expires" for this identity will be "true".
All other identities have it by default "false".
Use case:
We have "Maximum password age = 90". After 90 days, the password for "admin" expired, so we can't login to IdM anymore.
We want to set "Password never expires" for admin and other super users, so we don't lose access to IdM anymore.
Files
Related issues
Updated by Ondřej Kopr over 5 years ago
It's security lacks :( are you sure that you wanted this? If I will implemented this you want never expiring password for all users that has permission APP_ADMIN (super admin). Because check user by username is very dangerous (rename or etc). On some project we just set null to expiring column in database and that is all, it is not good way, but it is more security friendly than checkbox "never expire password for all APP_ADMIN".
Updated by Peter Štrunc over 5 years ago
I dont think that it was meant for all admin users, but just for one user (or small subset) which will be used as service access in case all users lose their access to IdM.
Updated by Alena Peterová over 5 years ago
- File PasswordNeverExpires.png PasswordNeverExpires.png added
- Description updated (diff)
I changed the description to be more specific. I definitely don't want to use this widely on all super admins and also not for specific username.
A similar feature is e.g. in Active Directory, where it's standardly used for service accounts, see screenshot.
Changing anything in database is not desired.
Updated by Vladimír Kotýnek over 5 years ago
I guess this should be some kind of privilege assigned to a specific role so e.g. Security Manager can approve it. We definitely don't want all superAdmins without password expiration. Also, not all users we want to exclude from password expiration are superAdmins.
Updated by Ondřej Kopr over 5 years ago
- Related to Task #1185: Create endpoint to read metadata about identity password added
Updated by Ondřej Kopr about 5 years ago
Updated request:
- new agenda/detail on identity detail (information about password),
- new rest enpoint,
- new permissions for the password metadata,
- new attribute passwordNeverExpires,
- new behavior with password never expires.
Updated by Ondřej Kopr about 5 years ago
- % Done changed from 0 to 90
Feature, documentation and tests was done in ticket #1185.
Updated by Ondřej Kopr about 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Ondřej Kopr to Radek Tomiška
Please Radek could you made a feedback? Commit and documentaion can be found in ticket #1185. Thank you
Updated by Radek Tomiška almost 5 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Ondřej Kopr
- % Done changed from 90 to 100
I did test and review, it works, all password features are available on one place, and code looks nice, thx!
Note: I did only minor changes about rest, show loading, locales, init admin identity with password never expires, added author, since ... :):
https://github.com/bcvsolutions/CzechIdMng/commit/34ccb8c1473db4367ef4c85c64d3a23db76fedde
Updated by Ondřej Kopr almost 5 years ago
- Status changed from Resolved to Closed