Hi On Fri, Jan 20, 2017 at 4:28 PM, Rushmin Fernando <rush...@wso2.com> wrote:
> Isura, as per my understanding, in most of the cases 'inactive' user are > treated as non-existing users. > > So from the domain model side we should have a method to ..... > > get the active users (since this the default case, we can even name > the method as getUsers() ) > > and another method to .... > > get the user including inactive users > +1 for this. Ideally in all user operation we can filter out the inactive users. Ex in JDBC user stores we may accound_inactive claim in LDAP we can filter out with UserAccountControl attribute. > > When it comes to operations, we anyway have to have an interceptor in the > authentication flow to refuse locked users (inative users will no even be > considered) > > One down side is performance. If we check this before in authentication it will reduce the performance. so if the user store (Identity store ) support for account locking better to use that implementation. if not we have to explicitly check the account lock property. -Ishara > > > On Fri, Jan 20, 2017 at 3:32 PM, Isura Karunaratne <is...@wso2.com> wrote: > >> Hi all, >> >> >> We are working on implementing account lock/disable features for IS >> 6.0.0. >> >> *Account Lock: * >> >> - User *must not *be able to login to the system. >> - Admin user *can* update the user attributes and assign roles >> (account is active) >> - User cannot start a password recovery flow. >> >> *Account Disable: * >> >> - User *must not* be able to login to the system. >> - Admin user *can not* update the user attributes and cannot assign >> roles until enabling the account. (inactive state) >> - User cannot start a password recovery flow. >> >> >> >> *When will the account be locked?* >> >> >> >> - Self Signup users until account confirmation >> - Try to login with invalid credentials more than configured number >> of attempts. Then the account will be locked configured amount of time. >> (Like 5 minutes). This lock time will be increased if the user locked >> again >> based on a configuration. >> - Provide invalid answers more than configured number of attempts, >> when password recovery >> - User onboarding with Email/SMS verification flow. >> - When admin needs to block the user to login to the system >> - When admin initiated password reset flow starts. >> >> >> >> *When will the account be disabled?* >> >> >> >> >> >> - When admin needs to inactivate user. >> >> >> >> What is the best way handle account disable check? We can do this from a >> inceptor level, then we need to check account disable in each operation. >> >> Thanks >> Isura. >> >> >> >> >> >> *Isura Dilhara Karunaratne* >> Senior Software Engineer | WSO2 >> Email: is...@wso2.com >> Mob : +94 772 254 810 <+94%2077%20225%204810> >> Blog : http://isurad.blogspot.com/ >> >> >> >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Best Regards* > > *Rushmin Fernando* > *Technical Lead* > > WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware > > mobile : +94775615183 > > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture