Open jentfoo opened 5 months ago
This has come up several times before for access requests, and we have decided not to do it.
Whatever we do, it should probably be consistent. I would not expect this behavior to differ for users and access requests.
This seems to be a frequent source of confusion, so I think we should continue to consider this
Whenever an account or session must be immediately denied, our locking functionality must be used: https://goteleport.com/docs/access-controls/guides/locking/
This is not always intuitive, and customers may be unaware that this is required when an account is deleted or roles are changed. We should consider auto-adding locks where it is reasonable and easy to do so. For example:
Raised in part from this issue: https://github.com/gravitational/security-findings/issues/73