Q4 - What is your proposed solution?
Our proposed solution is to introduce a “disabled” field attached to the records in the users database table, allowing administrators to set this flag for a given user and mark them as enabled or disabled. Additionally, we propose allowing the user directory sync plugin to leverage this functionality and support it as a default setting for synchronizing the disabled status flag.
When a user is disabled, they will lose access to the solution, meaning they will not be able to perform certain operations such as:
- authenticating using GpgAuth or GpgJwtAuth (mobile)
- completing the MFA process
- performing an account recovery
- performing SSO operations
- receiving any email notifications.
However, to allow users to rejoin the solution later, an active user will still be considered a valid target for sharing information. For example, if they are part of a group and a resource is being shared with the group, the user’s secret will need to be provided to complete the operation.
In order to provide visual feedback to other users, every user will be able to see if a given user is disabled. This will be shown as a visual indicator when they are adding them to sharing or group lists. Our proposed solution will give administrators the ability to quickly and temporarily revoke access for certain users, while still allowing them to rejoin the solution later and preventing the hindrance of adoption.