wso2 · PasinduYeshan · Dec 18, 2024 · Dec 19, 2024 · Dec 19, 2024 · Jan 2, 2025
diff --git a/.changeset/lemon-pets-wait.md b/.changeset/lemon-pets-wait.md
@@ -0,0 +1,6 @@
+---
+"@wso2is/admin.validation.v1": patch
+"@wso2is/console": patch
+---
+
+Disable rule based password expiry for users without required scopes
diff --git a/...le/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2 b/...le/java/org.wso2.identity.apps.console.server.feature/resources/deployment.config.json.j2
@@ -1304,6 +1304,36 @@
                 ]
             },
             {% endif %}
+            {% if console.rule_based_password_expiry is defined %}
+            "ruleBasedPasswordExpiry": {
+                "enabled": {% if console.rule_based_password_expiry.enabled is defined %} {{ console.rule_based_password_expiry.enabled }},
+                {% else %} true,
+                {% endif %}
+                "scopes": {
+                    {% if console.rule_based_password_expiry.scopes is defined %}
+                    {% for operation, scopes in console.rule_based_password_expiry.scopes.items() %}
+                    "{{ operation }}": [
+                        {% for scope in scopes %}
+                            "{{ scope }}"{{ "," if not loop.last }}
+                        {% endfor %}
+                    ]{{ "," if not loop.last }}
+                    {% endfor %}
+                    {% else %}
+                        "create": [],
+                        "read": [],
+                        "update": [],
+                        "delete": []
+                    {% endif %}
+                },
+                "disabledFeatures": [
+                    {% if console.rule_based_password_expiry.disabled_features is defined %}
+                    {% for feature in console.rule_based_password_expiry.disabled_features %}
+                    "{{ feature }}"{{ "," if not loop.last }}
+                    {% endfor %}
+                    {% endif %}
+                ]
+            },
+            {% endif %}
             {% if console.server is defined %}
             "server": {
                 "disabledFeatures": [

diff --git a/apps/console/src/public/deployment.config.json b/apps/console/src/public/deployment.config.json
@@ -732,9 +732,7 @@
                         "console:loginAndRegistration"
                     ],
                     "read": [
-                        "internal_governance_view",
-                        "internal_group_mgt_view",
-                        "internal_role_mgt_view"
+                        "internal_governance_view"
                     ],
                     "update": [
                         "internal_config_update",
@@ -923,6 +921,25 @@
                     ]
                 }
             },
+            "ruleBasedPasswordExpiry": {
+                "disabledFeatures": [],
+                "enabled": true,
+                "scopes": {
+                    "create": [],
+                    "delete": [],
+                    "feature": [],
+                    "read": [
+                        "internal_governance_view",
+                        "internal_group_mgt_view",
+                        "internal_role_mgt_view"
+                    ],
+                    "update": [
+                        "internal_config_update",
+                        "internal_governance_update",
+                        "internal_validation_rule_mgt_update"
+                    ]
+                }
+            },
             "saml2Configuration": {
                 "disabledFeatures": [],
                 "enabled": true,

diff --git a/features/admin.core.v1/models/config.ts b/features/admin.core.v1/models/config.ts
@@ -250,6 +250,10 @@ export interface FeatureConfigInterface {
      * Resident Outbound Provisioning feature
      */
     residentOutboundProvisioning?: FeatureAccessConfigInterface;
+    /**
+     * Rule based password expiry feature
+     */
+    ruleBasedPasswordExpiry?: FeatureAccessConfigInterface;
     /**
      * Connection management feature.
      */

diff --git a/features/admin.validation.v1/constants/validation-config-constants.ts b/features/admin.validation.v1/constants/validation-config-constants.ts
@@ -41,6 +41,11 @@ export class ValidationConfigConstants {
         PASSWORD_MIN_VALUE: 5
     };
 
+    /**
+     * Set of keys used to enable/disable features.
+     */
+    public static readonly FEATURE_DICTIONARY: Map<string, string> = new Map<string, string>()
+        .set("RULE_BASED_PASSWORD_EXPIRY", "validation.ruleBasedPasswordExpiry");;
 }
 
 /**

diff --git a/features/admin.validation.v1/pages/validation-config-edit.tsx b/features/admin.validation.v1/pages/validation-config-edit.tsx
@@ -97,7 +97,6 @@ export const ValidationConfigEditPage: FunctionComponent<MyAccountSettingsEditPa
         state?.config?.ui?.isPasswordInputValidationEnabled);
     const disabledFeatures: string[] = useSelector((state: AppState) =>
         state?.config?.ui?.features?.loginAndRegistration?.disabledFeatures);
-    const isRuleBasedPasswordExpiryDisabled: boolean = disabledFeatures?.includes("ruleBasedPasswordExpiry");
     const featureConfig: FeatureConfigInterface = useSelector((state: AppState) => state?.config?.ui?.features);
 
     const [ isSubmitting, setSubmitting ] = useState<boolean>(false);
@@ -137,6 +136,11 @@ export const ValidationConfigEditPage: FunctionComponent<MyAccountSettingsEditPa
     const [ legacyPasswordPolicies, setLegacyPasswordPolicies ] = useState<ConnectorPropertyInterface[]>([]);
 
     const isReadOnly: boolean = !useRequiredScopes(featureConfig?.governanceConnectors?.scopes?.update);
+    const hasRuleBasedPasswordExpiryReadPermissions: boolean =
+        useRequiredScopes(featureConfig?.ruleBasedPasswordExpiry?.scopes?.read);
+    const isRuleBasedPasswordExpiryDisabled: boolean =
+        disabledFeatures?.includes(ValidationConfigConstants.FEATURE_DICTIONARY.get("RULE_BASED_PASSWORD_EXPIRY"))
+        || !hasRuleBasedPasswordExpiryReadPermissions;
 
     const {
         data: passwordHistoryCountData,
@@ -602,12 +606,15 @@ export const ValidationConfigEditPage: FunctionComponent<MyAccountSettingsEditPa
 
         const processedFormValues: ValidationFormInterface = {
             ...values,
-            passwordExpiryEnabled: passwordExpiryEnabled,
-            passwordExpiryRules: processPasswordExpiryRules(),
-            passwordExpirySkipFallback: passwordExpirySkipFallback,
-            passwordExpiryTime: defaultPasswordExpiryTime
+            passwordExpiryEnabled: passwordExpiryEnabled
         };
 
+        if (!isRuleBasedPasswordExpiryDisabled) {
+            processedFormValues.passwordExpiryRules = processPasswordExpiryRules();
+            processedFormValues.passwordExpirySkipFallback = passwordExpirySkipFallback;
+            processedFormValues.passwordExpiryTime = defaultPasswordExpiryTime;
+        }
+
         const updatePasswordPolicies: Promise<void> = serverConfigurationConfig.processPasswordPoliciesSubmitData(
             processedFormValues,
             !isPasswordInputValidationEnabled