Research Account recovery Options

[bbmcmann]

SLOBG admins want to be able to reset passwords for people, as they have trouble completing the process themselves.

What is already implemented for forgot password (what packages, who gets emails etc.)
Are we able to send an email directly to admins instead of to the user?
Are admins able to make changes on people's accounts, or is this blocked by AWS?

[rajvirvyas]

What is already implemented for forgot password (what packages, who gets emails etc.)
We are importing the Authenticator which allows us to reset the password, and the user gets the emails.

Are we able to send an email directly to admins instead of to the user?
This should be possible, we would need to restructure what happens when the user clicks the reset password button. Currently, it sends the user a code to their email and then allows them to reset the password once that code is verified. I think that rather than have admins get the reset password email and all, we should just enable a user to send a reset password request, after which the admin would change the password and send that new password through email to the user.

Are admins able to make changes on people's accounts, or is this blocked by AWS?
I believe that admins should be able to make changes to people's accounts, we can try using IAM policies in order to declare admins to have the ability to modify user-set info. Through the CLI API, we can get a user's profile, and password, and update it using commands outlined in the below webpages.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html