You could add a filter to the User form If TR.Status is disabled Set the password to something + the servers date and time
So only if a person knows exactly when (to the second) the user was disabled could that account be accessed Fred -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of John Baker Sent: Thursday, January 30, 2014 2:17 PM To: [email protected] Subject: Target Attack and BMC Software ITSM? Doug And you don't force administrators to change the default Mid Tier password, which is the most relevant starting point for abuse given everything else is basically hidden from a web client. And you haven't made the "disable User" radio do what it says on the tin, ie disable a user, which will leave an administrator scratching their head when they believe that clicking disable will disable a user. And allowing run process to actually run a process is perhaps the craziest thing one would enable on an Internet facing deployment. And the password management stuff is kind of irrelevant if a user has no password, ie when SSO is enabled. So there's some improvements for 8.2. John _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
