-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 3.20.0
-
Component/s: Roles & Permissions
-
Epic Link:
-
Tags:
-
Sprint:NOS 11.1.16 - 2019-08 2
-
Story Points:3
When creating users and groups in Studio, the Administrator user with its default password is added automatically.
If customers keep it as is and use the always policy, it means the instance will drop every existing user and use the Studio config instead at restart, with the default credentials.
We noticed recently a big number of important customers in our cloud using the default credentials, probably without knowing it. We need to prevent customers from putting their security at risk.
AC
- When creating users and groups, the Administrator user has a random password instead of "Administrator"
- When creating users and groups, the Administrator email has devnull@nuxeo.com instead of administrator@example.com (could send sensitive information to this domain)
- When an existing users and groups configuration has Administrator / Administrator, display a validation warning:
Using the default credentials for the Administrator account puts your application security at risk. We strongly recommend you to change the password for this user.
