Make syncable attributes read-only as soon as LDAP is enabled
Problem to solve
Currently there is a window of time between when LDAP is enabled and the first LDAP sync where users are able to change attributes that should be read-only, like profile name and email. This can cause compliance issues for large organizations who rely on LDAP as their authentication method.
- Parker (Product Manager)
- Delaney (Development Team Lead)
- Devon (DevOps Engineer)
- Sidney (Systems Administrator)
- Sam (Security Analyst)
If we prevent the ability to change syncable user attributes when LDAP is enabled, not when it first syncs, this will ensure LDAP is the single source of user authentication.
As soon as LDAP is enabled (not upon the first LDAP sync), the following user attributes are considered read-only, and cannot be changed by users themselves, or admins:
- profile name
- email address
(For these attributes LDAP is the single source of truth.)
What is the type of buyer?
Large enterprise organizations with strict compliance needs.
Links / references
Similar issue linked here: #24605 (closed) This issue does not include LDAP specific workflows.
- Product: issue description is accurate with an acceptable proposal for an MVC
- Engineering: issue is implementable with few remaining questions, is sufficiently broken down, and is able to be estimated