Make syncable attributes read-only as soon as Idp is enabled
Problem to solve
Currently there is a window of time between when LDAP is enabled and the first LDAP sync where users are able to change attributes that should be read-only, like profile name and email. This can cause compliance issues for large organizations who rely on LDAP as their authentication method.
Intended users
- Parker (Product Manager)
- Delaney (Development Team Lead)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
Possible solutions
If we prevent the ability to change syncable user attributes when LDAP is enabled, not when it first syncs, this will ensure LDAP is the single source of user authentication.
Proposal
As soon as LDAP is enabled (not upon the first LDAP sync), the following user attributes are considered read-only, and cannot be changed by users themselves, or admins:
- profile name
- email address
- location
(For these attributes LDAP is the single source of truth.)
What is the type of buyer?
Large enterprise organizations with strict compliance needs.
Links / references
Similar issue linked here: #24605 (closed) This issue does not include LDAP specific workflows.
Issue readiness
-
Product: issue description is accurate with an acceptable proposal for an MVC -
Engineering: issue is implementable with few remaining questions, is sufficiently broken down, and is able to be estimated