Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Disable password resets (or at least require intervention) for Crowd users?

We're looking at possibly moving certain authentication systems to Crowd.  One issue that we've come upon is the user password reset feature.

While this is very useful, our security policy requires administrator approval of password resets.  

Ideally, we'd like to forward password reset mail to the administrator to relay to the end-user.  I can certainly think of ways to hack around this once a request hits the Crowd host's mail server, but I'm wondering whether there's another somewhat more "regular" approach.

If we can't do this, then we would like to figure out a way to just remove the functionality from the UI if possible.  It would be nice to keep the "reset" function that's implemented in the administrator UI (generating a random URL) - that might be helpful.  But if someone's email account gets hacked, we need to limit exposure there (not to mention that we are looking at having user email also managed by Crowd...)

I'm finding Crowd both very interesting and useful at the same time I'm having to come to terms with what we really want in a system for managing users...  thanks for any ideas!

1 answer

0 votes
AnnWorley Atlassian Team Mar 12, 2018

Users don't have access to the Crowd console by default so if you don't set them up for self service they won't be able to change their passwords in Crowd. Administrative functions will remain as they are.

Here is what not to do Granting Crowd User Rights to a User

Please let us know any follow-up questions.

Hi, Ann, thanks for the response.

I think what I'm trying to do - or perhaps not approaching this correctly - is to use the functionality that Crowd has to generate an authentication URL for a user to employ to reset their password - but to not do so automatically.

In other words, now a user can go to the Crowd sign in page and get a password reset URL sent to them.  The risk is that a compromised email account leads to all authentication managed by Crowd being compromised.

On the other hand, denying crowd user rights would seem to preclude an administrator's ability to allow a user to reset their password (unless - please let me know if I'm wrong about this - an admin can still use the "Reset Password" link to generate an email to a user, and the user can use that link to reset their password).

Again, it's all good if there is some sort of step between a user clicking on the "forgot password" link and getting an email with a reset URL.  (I suspect that I could engineer routing in the mail server to intercept these emails and forward to an administrator... but that strikes me as suboptimal.)

By the way, I'd also assume that unless two-way authentication is set up between Crowd and (at least one) Crowd-managed applications there's no other way to enforce a password expiration requirement? 

One approach would be to change the reset password email template so it doesn't include the reset link, but redirects the customer to contact an admin: Creating an Email Notification Template In that case a reset password email generated by the admin would also omit the link, however. I am sure you don't want the admins to explicitly set the passwords for the users, so we need to get the users that reset link one way or another.

Perhaps you could set up the email server to copy admins on emails sent from Crowd, so the user has the reset password link, but the admin is aware of it?

Or deny users access to the Crowd application URL via proxy or other method and have them contact an admin, who could go in and generate the email with the reset link by clicking the reset password button while viewing the user.

If an Atlassian application is using a Crowd user directory for user management and the "Days until password expiry" (on the Configuration tab under the Directory in Crowd 3.1.2) is set, that setting will be enforced for the applications. Users Can't Login Due to Expired Passwords

Thanks... that gives me a few ideas to investigate!  We'll go from there.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

JSM June Challenge #2: Share how your business teams became ITSM rockstars

For JSM June Challenge #2, share how your non-technical teams like HR, legal, marketing, finance, and beyond started using Jira Service Management! Tell us: Did they ask to start using it or...

300 views 9 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you