Reviewers (PMD-3529):

User Story

  • As a CSP (who must comply with internal security policies and regularly undergoes security audits), I want to enforce a current password confirmation step whenever a reseller/representative/distributor changes their password address in their portal, so that the system meets our security policy requirements and reduces the risk of unauthorized account takeovers.

  • As a reseller/representative/distributor using my portal, I want the system to require my current password whenever I change my password, so that no one can change my password and take over my account if I temporarily leave my workstation unattended while logged in.

Example of use

Functionality will allow CSP to stay compliant with his current internal security policies and bring consistency to all existing entities in PortaSwitch (all the entities will follow the same ).

Business model

N/A

Technology

N/A

Current Solution

At the moment, on Web Interface, only the following entities have "Old password" field:

  • user
  • customer
  • account
  • PortaConfigurator user

but we do not have "Old password" field for Reseller, Representative and Distributor.

Stakeholders and their benefits

Who are the users / whom we bring value to?

Benefit /
Stakeholders		Tighter
Control		Security
Requirement
CSP
Resellers
Distributors
Representatives

Use Cases

Use case #1: Password change

Roles: Reseller/Representative/Distributor, system (PortaSwitch)

Preconditionspassword expire is set to default 30 days

Use scenario #1.1: Manual password change

  • On  Reseller/Representative/Distributor logs in to their his Self-Care portal
  • Navigates to Web Self-care tab and tries to change their password
  • Enters:
    • Incorrect current password
    • New password
    • New password confirmation
  • System validates the current password
  • System displays an error message that current password is incorrect
  • Reseller/Representative/Distributor retries by entering:
    • Correct current password
    • New password
    • New password confirmation
  • System validates the current password
  • If valid, the system updates the system stores the new password for Reseller/Rep/Distributor (on )

Use scenario #1.2: Password change upon expiry

  • continues after #1.1
  • On  Reseller/Representative/Distributor logs in to the his Self-Care portal

  • System detects that the password has expired

  • Reseller is redirected to the Password Change page

  • Enters:
    • Correct current password
    • New password
    • New password confirmation
  • System validates the current password and updates it
  • Reseller/Representative/Distributor logs in to the his Self-Care portal with a new password that, next time, will be expired on  

Wireframes

  • This is an optional section. 
  • Wireframe is a quick illustration of an idea not the prototype itself.
  • Key point is that a final prototype might look completely different after the Solution Design stage.

Reseller

Representative

Distributor

Non-functional requirements

N/A

Peculiarities

According to the API guide, the change_password method for resellerrepresentative and distributor entities supports the old_password field.

Performance / Clustering, Geo Redundancy/ Dual-Version, Porter / Call Control API / ESPF / Monitoring

N/A