I searched for similar feature requests and found related discussions in the past. However, since I couldn’t locate the specific thread again and with the recent release of Passbolt 5.8 introducing the new RBAC enhancements, I would like to revisit and formally propose this idea.
Q1. What is the problem that you are trying to solve?
Currently, users can dismiss MFA setup prompts or enable MFA themselves in their personal settings (depending on configuration). However, there are certain groups of users where MFA should be mandatory and non-optional.
With the recent RBAC improvements in Passbolt 5.8, this would be a natural and highly valuable extension of the role-based access control model.
Q2 - Who is impacted?
Organizations using:
-
Custom RBAC roles
-
Large-scale deployments with differentiated permission models
Especially environments where certain roles (e.g., administrators, privileged users, external collaborators, etc.) require stricter security policies.
Q3 - Why is it important and/or urgent?
In environments with close to 1,000 users, it becomes increasingly difficult to maintain visibility over who has MFA enabled and who does not.
For high-privilege roles in particular, MFA should not rely on user discretion.
Q4 - What is your proposed solution? (optional)
There is already an existing MFA policy configuration available under:
app/administration/mfa-policy
Currently, MFA policies are managed globally from this location. My proposal would be to extend this concept by integrating MFA policy controls into:
app/administration/rbacs
This would allow administrators to define MFA requirements directly at the RBAC role or group level.
In practice, this could mean:
-
Selecting or enforcing an MFA policy per RBAC group
-
Making MFA mandatory for specific user groups