Hi all,
We are currently working on adding the capability to define several Password Policies for
a given realm.
The rationale is that in our systems, within a given realm, we have different
"types" of accounts that have different constraints on password management. For
instance:
- Administrators shall have long and complex passwords, with a very short
password expiration time
- Regular users have a "normal" :P password strength, and medium
expiration time
- Accounts for technical/automated access to the system shall never expire and
have very long passwords
All these Users shall be part of the same Realm.
Obviously, these 3 types are only an example and there might be a need of more types or
less types of accounts for other deployments => the number of Password Policies is not
fixed in advance.
We would definitely like to push the work as a PR, but before doing that, we'd like to
be sure that we are going on the good tracks so that this PR could be accepted.
The idea is consequently, from Web UI perspectives:
- To update the Password Policy pane so that we have first a list of what we
could call "Password Policy Groups". Within this pane, an initial list would
allow to list, create and edit the Password Policy Groups.
- When creating or editing one of the available Password Policy Groups, a sub
pane would allow to select the individual Password Policies to be added to the Group.
- Then, on Users management section, a new drop-down field of the User edition
page would enable to select the Password Policy Group to be applied to this specific User
- The Password Policy Group page might remain under the Authentication menu
area... but it might also be eligible to be moved to a dedicated area similar to the
current "Group" area (indeed, we would then have a "Roles Groups" area
(this is indeed what the current "Group" area is) and a "Password Policy
Groups" area...)
Note that it would maybe be more convenient to attach a Password Policy Group to a
"Group" rather than to an individual User, but as Users may belong to several
Groups, then it would generate conflicts when applying the individual Password Policies if
they are conflicting (for example, one saying that the min password length is 10
characters while the other saying it is 15).
Impacts are:
- On the DB model and JPA classes to support a list of Password Policies (i.e.
Password Policy Groups),
- On the User classes to support attachment of a User to a Password Policy Group
- On the GUI, as described above
- On the authentication process, to select the right Password Policy
- On the change password process, to select the right Password Policy
- On the REST API
Does this proposal make sense to you (any concern or recommendation) ?
Thanks for your feedbacks
Best regards,
Patrice
________________________________
This message and any attachments are intended solely for the addressees and may contain
confidential information. Any unauthorized use or disclosure, either whole or partial, is
prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if
altered, changed or falsified. If you are not the intended recipient of this message,
please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from
viruses, the sender will not be liable for damages caused by a transmitted virus.