Provide a COmanage interface for user suspension, accessible to members of the ACCESS security team.
Possible implementation:
Add ACCESS security team members as owners of the AccessDenied group, so they can add/remove users.
Update the Kerberos provisioner to disable (enable) Kerberos principals when they are added to (removed from) the AccessDenied group.
Update the AccessdbProvisioner to set (unset) the is_suspended flag when users are added to (removed from) the AccessDenied group. (Nathan is working to make the is_suspended flag available via the ACCESS DB API.)
Provide a COmanage interface for user suspension, accessible to members of the ACCESS security team.
Possible implementation:
CILogon is already configured to block authentication for users in the AccessDenied group and redirect the user's browser to https://identity.access-ci.org/user-access-denied .