Skip to content

FGAP v2: RESET_PASSWORD capability for USERS #41901

New issue
New issue
Closed
#42307
Closed
FGAP v2: RESET_PASSWORD capability for USERS#41901
#42307
Assignees
pedroigor
Labels
kind/enhancementCategorizes a PR related to an enhancementrelease/26.4.0team/core-iam
@Bagautdino

Description

@Bagautdino
Bagautdino
opened on Aug 15, 2025

Description

Why: Password resets were implicitly granted by MANAGE_USERS. With FGAP v2 we need policy-based, auditable control to allow/deny resets per user/group with deny-overrides and secure-by-default behavior.

What:

  • Add reset-password scope to USERS
  • Require RESET_PASSWORD in UserResource.resetPassword()
  • UserPermissionsV2 implements deny-overrides, secure-by-default; optional fallback to MANAGE_USERS via fgap.v2.resetPassword.fallbackToManageUsers (default=false)
  • getAccess(user).resetPassword for Admin Console
  • Preserve self-service password change
  • Logging/auditing enhancements
  • Tests and docs

Migration notes: When FGAP v2 is enabled and no RESET_PASSWORD policies exist, reset is denied by default unless fallback is enabled.

Discussion

No response

Motivation

No response

Details

No response

Metadata

Metadata

Assignees

Labels

kind/enhancementCategorizes a PR related to an enhancementrelease/26.4.0team/core-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions