subaykan
commented
2 years ago I would suggest a simple implementation for this where we disable the user account if we can detect that a user has not logged in for some time, you can define that criterion (e.g. 6 months? 1 year?)
If this is really to address the scenario of people who leave the organization (could be DCYF, or provider orgs, or another routing org) then this would be a reasonable automatic action. Also, imposing some 'reset your password' constraint will get more complicated with the coming SAW integration.
It would be relatively easy to add a cron job that executes an update statement, like this one (I tested it in UAT), for example this one disables the user account if it sees that the last time the user has logged in was a year ago:
update "Users" set state = 'disabled', "disabledAt" = now() where id in (
select "userId" from "UserSessions" group by "userId" having "userId" in (
select id from "Users" where state = 'approved'
) and max("createdAt") < now() - interval '1 year'
);
When a worker does not use their account for a certain number of day, having it disable/lock. Having a mandatory password reset after certain number of days. currently we have a large number of Sprout Accounts that are no longer active due to DCYF staff (possibly provider staff as well) who have left the agency but their accounts remain active. by forcing a password reset on accounts that have not accessed the system in ? number of days, we would be able to manage the access to sprout more securely. as staff who are no longer with the agency would not have access to their DCYF emails to reset the passwords.