Users Disappear for Certain Administrators When a Role is Added

[bredd]

Presently, users are not visible to state coordinators, district coordinators, or school coordinators if they have a role connected to an entity to which that coordinator does not have access.

This causes two problems -- both of which appear to be bugs to the coordinator.

• If a coordinator adds a user that already has a role somewhere else in the system, the operation is successful, the new role is added but the user and new role are not visible to the coordinator. Since the coordinator cannot see the newly created user or role, they perceive the operation as having failed.
• If an existing user is granted a role somewhere else in the system, that user will disappear from the ART console for the coordinator who originally created the user account.

This "feature" is in place to preserve security. If users remained visible, any coordinator in the system could hijack an existing account by adding a role within their jurisdiction, changing the user's email address, and then forcing a password reset. Users are hidden in order to prevent this kind of security violation. Any remedy must preserve security.

[bredd]

Proposed Remedy

• Coordinators should be able to "see" all users that have roles at or below their domain. But only the roles that are within their domain should be visible. For users with roles in other domains outside the coordinator's jurisdiction, there should be a message to that effect. E.g. "User has roles in other domains."
• Coordinators should be able to perform a password reset for any user within their domain.
• When a password reset is requested, the coordinator should be presented with a confirmation dialog before the reset is performed. The password reset notification email should include the name of the coordinator that requested the reset. The confirmation dialog should inform the coordinator that their name will appear on the reset message. Including the coordinator's name on password reset messages will provide auditability. This will reduce abuse of the system by coordinators adding users to their domain simply to generate a password reset.
• When the last role for a user is removed, the user's account should be deleted.
• Coordinators should NOT be able to change the email address or phone number for a user if they have roles outside the coordinator's domain. This limitation should apply both to the UI and to bulk uploads.
• Coordinators should NOT be able to view, edit, or remove roles that are outside their domain.
• Users should be able to access their own information in ART. The information displayed should include the following:
  • All Roles assigned to them
  • Email address
  • Phone number
• Users should be able to edit their own information in ART.
  • Password
  • Email address
  • Phone number
  • Delete assigned roles (but not add them). Before a user deletes a role, they should be warned that they will have to contact a coordinator to restore the role. Confirmation should require that they type something in such as "DELETE ROLE" so that we're really sure they want to do this.

[bredd]

AIR proposes to prevent the removal of all roles in the ART UI. This is a good suggestion.

However, we need to consider the situation where a user has roles in more than one unit/organization. The administrator from one organization may legitimately want to remove the last role for the user that they can see. However, the account should persist because the user still has a role in another organization.

Likewise, an administrator should not be able to delete a user if they have a role in another organization to which the admin does not have access.