|
Post by AMI_alvin on Apr 30, 2020 8:50:43 GMT
Hi all, California Law SB-327 defines : For my understanding, this law forces all users need to change password at first login. I think "PasswordChangeRequired" property might be designed for this law. Here is the defination about "PasswordChangeRequired" in ManagerAccount.v1.5.0.json Schema : However, I found one scenario may violate the California Law: 1. Create a new account(TestAccount), "PasswordChangeRequired" value is set as "true" by default. 2. Before TestAccount first time login, Administrator PATCH TestAccount "PasswordChangeRequired" value as "false" 3. TestAccount would not need to change password at first login.So here are my questions : 1. Is "PasswordChangeRequired" designed for this California Law? 2. If the anwser is yes, should the manager accounts are allowd to PATCH "PasswordChangeRequired" as "false"? Thanks, Alvin
|
|
|
Post by jautor on May 3, 2020 1:29:07 GMT
So here are my questions : 1. Is "PasswordChangeRequired" designed for this California Law? 2. If the anwser is yes, should the manager accounts are allowd to PATCH "PasswordChangeRequired" as "false"? Thanks, Alvin These statements are not legal advice, and any compliance or legal questions should be addressed by your own legal counsel. The "PasswordChangedRequired" was created to address these types of requirements. It also provides administrators with a mechanism to provide provisioned accounts to others, but ensuring that any default passwords they provide are changed. In my opinion, the law in question was intended to address "preprogrammed" authentication credentials provided by the "manufacturer". In the case you suggest, this would not appear to apply as the account credentials were provided by the Administrator (not the "manufacturer"). Regardless, your implementation could certainly reject a PATCH of "false" to "PasswordChangeRequired" if you are concerned about that case. The requirement on the service is to set that value to "false" when the password is changed, so rejecting a PATCH to "false" would not cause any interoperability issues that I can see... Jeff
|
|
|
Post by josephreynolds1 on May 4, 2020 15:09:29 GMT
I am also not an attorney, and this is not legal advice. I underdstand CA law SB-327 apples to the manufacturer and not to any actions the admin may take.
|
|