Motivation

Most AZQS sites utilize WebAuth/CAS for user authentication but rely on manual account creation and the manual addition/removal of AZQS/Drupal roles for user authorization / access provisioning. This means that user access also needs to be manually de-provisioned when someone leaves or no longer requires access which is less than ideal.

Is your feature request related to a problem? Please describe.

Because access de-provisioning typically happens manually it also doesn't always happen when it should.

Proposed Resolution

@maine-inventor mentioned that he has successfully used the User Expire in the past to help with this kind of problem.

We should look into adding this module (or something similar) to Quickstart and possibly maintaining a default configuration that does something along these lines to automatically block access for inactive users to ensure that users that no longer need access to sites have their access removed:

• Automatically block inactive users with the administrator role after 30 days of inactivity
• Automatically block inactive users with the content editor or content admin role(s) after 180 days of inactivity

We'd probably also need to add some documentation about how users can be un-blocked by another administrator via the Admin UI or via drush.

Describe alternatives you've considered

We've started to explore the possibility of integrating with different/additional identity and access management services so that we can utilize identity provider attributes (e.g. LDAP attributes or Grouper group memberships) for authorization (see #35) but we don't have solution for that yet.

Roles and Permissions considerations

A clear and concise description of how each of the following roles would be impacted by this change:

• Content editor
• Content administrator
• Administrator

Users with these roles would have their access blocked if they haven't logged in recently enough.