#7216 Revisit group password policy design
Opened 6 years ago by rcritten. Modified 6 years ago

The current design for group-based password policy uses CoS to deliver the policy and maintains a loose linkage with the group by using the same name.

This has a few issues:

  • If a user has only group permissions they can delete the group but not the password policy (they won't even be aware such a policy exists). This can lead to an orphan policy. Now image the group is re-created...
  • A direct ldapdelete can be executed to delete the group, again leaving the policy orphaned

If the policy were to be a managed entry then management would be automatic.

This also means that there would be no explicit "delete group password policy" ACI necessary.


Metadata Update from @rcritten:
- Issue tagged with: refactoring

6 years ago

Login to comment on this ticket.

Metadata