Commit ceb8703c authored by Nick Malcolm's avatar Nick Malcolm ☑️ Committed by Thomas Loughlin
Browse files

Add workflow for updating Email OTP enrollment via the Admin area

parent fc4ca92f

content/handbook/support/workflows/2fa-removal.md

+10 −1
Original line number Diff line number Diff line
@@ -368,6 +368,15 @@ Potential scenarios where enforcement delay may be requested: 
5. Collect user ID(s) based on request type:

   - **Enterprise owner targeting enterprise users**: Collect all user IDs. Ensure these IDs all belong to the paid account and they are enterprise users (or meet [support's definition](/handbook/support/workflows/gitlab-com_overview/#enterprise-users)). Ensure all target users already had `email_otp_required_after` set. A GitLab.com admin can check this by visiting `/admin/users/<username>` and checking for the `Email OTP` field.

   - **Top-level group owner targeting non-enterprise users**: We can only delay enforcement for one target user. Collect the target user's ID and ensure it belongs to the paid account. Ensure the target user already had `email_otp_required_after` set. A GitLab.com admin can check this by visiting `/admin/users/<username>` and checking for the `Email OTP` field.

6. File a [console escalation internal request](https://gitlab.com/gitlab-com/support/internal-requests/-/issues/new?description_template=GitLab.com%20Console%20Escalation%20%28Read-write%29) to set `email_otp_required_after` to the agreed future date for all applicable users.

6. For a small number of users, use the GitLab Admin area:

   1. In Admin > Users, click "Edit" on each user

   2. Scroll to the "Access" section and locate "Email OTP"

   3. Use the datepicker to select a date reflecting the chosen delay. (Note: a blank date may be overriden as part of account security logic).

   4. Add an [Admin Note](/handbook/support/workflows/admin_note.md) on the account describing the change e.g. `<date> | Email OTP required set to <value> | <ticket link>`

   5. Click save

   6. Check the updated `Email OTP` field. The UI reflects the saved value, respecting validation rules, for example:

      1. Cannot be `nil` if MFA is mandatory (`Gitlab::CurrentSettings.require_minimum_email_based_otp_for_users_with_passwords?`) and user lacks alternative MFA

      2. Cannot be present if the user has MFA enabled AND is part of a namespace/top-level group that enforces 2FA

7. For a large number of users, file a [console escalation internal request](https://gitlab.com/gitlab-com/support/internal-requests/-/issues/new?description_template=GitLab.com%20Console%20Escalation%20%28Read-write%29) to set `email_otp_required_after` to the agreed future date for all applicable users.



<!--template sourced from https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Default.md-->