Projects:Password Management/Functional Specifications
Contents |
Report UI Pattern - Functional Specifications
Overview
Currently there are some issues to improve in the way Openbravo ERP manages users passwords.
Purpose
The purpose of this project is to enhance the password management solving a number of issues found on this topic.
Functional Requirements
User roles & profiles
- Openbravo Admin
- This role has permission to do administrative tasks in Openbravo ERP, this includes the security policies management. Thus he can modify users' passwords.
- Standard User
- A standard user (with no security management permissions) is able to change her own password.
Business process definition
The process definition for this project is based on a list of requested features:
- Modify the show encrypted reference to:
- 478: ask for re-enter the password when inserting modifying it. In the pop-up that appears for entering the password, a new box will be shown to re-enter the password and in case the two passwords do not match an error will be raised.
- 354: distinguish in UI when a user has password or it is blank. When preparing the UI for passwords in case the password is not empty a fixed number of asterisks will be shown.
- 353: allow entering the password without need of saving the current record.
- 189: Add to user tab a process to auto-generate passwords and send it by mail to user.
- 188: Modify Initial Client Setup to request for passwords for the users to be created. In case the are leaved blank the current approach will be followed (the password is the same as the user name).
- 3416: Add new password policies:
- Maximun Password length: Now is limited to 10 chars by GUI, it should be extended to 20 to allow stronger passwords
- Minimun Password length: A password should not have less than 7 chars
- Expiration: Passwords should expire after a defined period of time
- Password history: Users should not change a password to a used recently one
- Password complexity: A strong password has uppercase and lowercase as well as numbers, it would be great to check this in the change password window.
- 3434 Block a user after some failed login tryouts
Functional requirements based on business processes
Num | Requirement | Importance | Status | Estimated time | Comments |
---|---|---|---|---|---|
0 | Define password reference | ?? | To be started | 1d | It must be decided if all this new implementations are going to be done for a new reference or for the current isEncrypted standard column |
1.1 | Ask to re-enter the password when inserting or modifying it | Must have | To be started | 1d | |
1.2 | Modify Initial Client Setup to request passwords for the users to be created | Must have | To be started | 1d | |
1.3 | Extended password length to 20 characters to allow stronger passwords | Must have | To be started | 2h | |
1.4 | Do not allow in UI to insert passwords with less than 7 characters | Must have | To be started | 4h | |
1.5 | Distinguish in UI when a user has password or it is blank | Should have | To be started | 1d | |
1.6 | Allow entering the password without need of saving the current record | Should have | To be started | 1d | This would require to send the encrypted password by HTTP POST |
1.7 | Add to user tab a process to auto-generate passwords and send it by mail to user | Should have | To be started | 2d | This would require to have properly set the user's e-mail |
1.8 | Check the password complexity when creating it | Should have | To be started | 1d | |
1.9 | Define and manage expiration time for passwords | Nice to have | To be started | 2d | |
1.10 | Maintain a password history in order not to allow reentering an already used password | Nice to have | To be started | 4d | |
1.11 | Block a user after some failed login tryouts | Nice to have | To be started | 3d |
Closed Discussion Items
- ALO: Currently there is not a password reference, the way to display a column as a password is to check it as to set it as Display Encryption. This is done in this way just to be more generic: it's intended not only for passwords but for any field which content must be stored encrypted. Some of the previously defined specifications are applicable only for passwords (re-enter, length, strength...) so it might be necessary to create a new password reference, on the other hand all the encrypted fields that are used currently (at least in core product) are used to store passwords. This is also discussed in the technical documentation.
- ALO: Yes, a new reference is going to be created.