Cory Calvert
My feedback
1 result found
-
9 votes
Upon Clarification, I have created a PR (5564535) to add individual fields in Request Changes for Email Addresses.
Keep an eye out for emails regarding this product idea!
Thank you!
Erik O.
An error occurred while saving the comment Cory Calvert
supported this idea
·
It looks like this request has been hanging out there for a long time now. This is actually pretty important from a security perspective, as many districts use the primary email address for SSO authentication with SAML. Right now, you can either prevent users from changing any email addresses at all, which keeps the HR department from having an up-to-date secondary contact email, or you can allow users to change all email addresses, including their primary email address, which allows users to effectively change their own username in the system (depending on SSO configuration).
I just had to fix a problem with one of our employees getting locked out of HR/Finance after they updated their own email address, which was set to Auto-Approve in Request Change Setup. I could imagine some districts allowing a combination of SSO and LDAP or local authentication for users, and in that case, if a privileged user who normally logs in with LDAP or a local account didn't have their school email address in the primary email address field, a less-privileged user could simply change their own primary email address to that of the high-privileged user and then reauthentication to the HR system as the high-privileged user through SSO. This seems like a potentially serious security issue.