Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,458,056
Community Members
 
Community Events
176
Community Groups

Disable password resets (or at least require intervention) for Crowd users?

We're looking at possibly moving certain authentication systems to Crowd.  One issue that we've come upon is the user password reset feature.

While this is very useful, our security policy requires administrator approval of password resets.  

Ideally, we'd like to forward password reset mail to the administrator to relay to the end-user.  I can certainly think of ways to hack around this once a request hits the Crowd host's mail server, but I'm wondering whether there's another somewhat more "regular" approach.

If we can't do this, then we would like to figure out a way to just remove the functionality from the UI if possible.  It would be nice to keep the "reset" function that's implemented in the administrator UI (generating a random URL) - that might be helpful.  But if someone's email account gets hacked, we need to limit exposure there (not to mention that we are looking at having user email also managed by Crowd...)

I'm finding Crowd both very interesting and useful at the same time I'm having to come to terms with what we really want in a system for managing users...  thanks for any ideas!

1 answer

0 votes
AnnWorley Atlassian Team Mar 12, 2018

Users don't have access to the Crowd console by default so if you don't set them up for self service they won't be able to change their passwords in Crowd. Administrative functions will remain as they are.

Here is what not to do Granting Crowd User Rights to a User

Please let us know any follow-up questions.

Hi, Ann, thanks for the response.

I think what I'm trying to do - or perhaps not approaching this correctly - is to use the functionality that Crowd has to generate an authentication URL for a user to employ to reset their password - but to not do so automatically.

In other words, now a user can go to the Crowd sign in page and get a password reset URL sent to them.  The risk is that a compromised email account leads to all authentication managed by Crowd being compromised.

On the other hand, denying crowd user rights would seem to preclude an administrator's ability to allow a user to reset their password (unless - please let me know if I'm wrong about this - an admin can still use the "Reset Password" link to generate an email to a user, and the user can use that link to reset their password).

Again, it's all good if there is some sort of step between a user clicking on the "forgot password" link and getting an email with a reset URL.  (I suspect that I could engineer routing in the mail server to intercept these emails and forward to an administrator... but that strikes me as suboptimal.)

By the way, I'd also assume that unless two-way authentication is set up between Crowd and (at least one) Crowd-managed applications there's no other way to enforce a password expiration requirement? 

One approach would be to change the reset password email template so it doesn't include the reset link, but redirects the customer to contact an admin: Creating an Email Notification Template In that case a reset password email generated by the admin would also omit the link, however. I am sure you don't want the admins to explicitly set the passwords for the users, so we need to get the users that reset link one way or another.

Perhaps you could set up the email server to copy admins on emails sent from Crowd, so the user has the reset password link, but the admin is aware of it?

Or deny users access to the Crowd application URL via proxy or other method and have them contact an admin, who could go in and generate the email with the reset link by clicking the reset password button while viewing the user.

If an Atlassian application is using a Crowd user directory for user management and the "Days until password expiry" (on the Configuration tab under the Directory in Crowd 3.1.2) is set, that setting will be enforced for the applications. Users Can't Login Due to Expired Passwords

Thanks... that gives me a few ideas to investigate!  We'll go from there.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events