ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From BJ Freeman <bjf...@free-man.net>
Subject Re: Password reset for admin?
Date Sun, 31 Jul 2011 13:23:03 GMT
looking at the current trunk the login, checks the party then looks in
contactmech for the Primary Email address.
The contact Primary Email address set in the party is used to put the
incoming emails into that party or party group.
so if you have a party group of Sales, you should associate the employee
party to the Sales so they can access the Sales Emails and Send Emails
with the Sales@mydomain.com.
However each employee should have their own Party with the Primary Email
address being one that is External to mydomain.com and ofbiz.
Then the email Password would go to that party's external email address.

This part is a choice that I recommend.
That a backdoor login be assigned to the Admin party that is not common
and is not used except in Dire emergencies. the Primary Email should
only go to the owner of the business. The back door I used is not even
assigned to a party just has the permissions. so there is no way to get
the Admin password Emailed. it can only be reset through webtools.

Each employee that would have Admin access should have that in their
permissions for the login of their partyID. This way if an employee
moves on their access to admin can be terminated without a lot of
disruption to the company's process.

If someone has a different scheme please share.

BJ Freeman sent the following on 7/30/2011 10:53 AM:
> even if someone request a password for admin it will only go to the
> email account specified, in the profile.
> I do run a nightly service that is like my own dictionary service for
> passwords that are common. Then the systems sends a password reset to
> the email.
> BJ Freeman sent the following on 7/30/2011 10:22 AM:
>> They may have a party Sales, at least in my systems, the login is email
>> addresses. it is harder for dictionary attracts to be effective.
>> Mike sent the following on 7/30/2011 7:41 AM:
>>> There must be something more.  Any organization would have generic
>>> logins, like "sales", or it would be easy to guess employee logins
>>> from the "about us" page.  It makes sense that the password reset
>>> should be intended ONLY for customers, not (any) system-type login.
>>> I would think that the password reset feature should be limited to
>>> certain roles, like "Customer".
>>> On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman <bjfree@free-man.net> wrote:
>>>> for production systems do not use "admin" as a lognin.
>>>> it is never created.
>>>> Mike sent the following on 7/30/2011 12:10 AM:
>>>>> Why is it that *any* user can, using the password reset or "Forgot
>>>>> Your Password" can actually force "admin" to change the password?  Is
>>>>> there a way to turn this off?

View raw message