Password expiration period for each role

toru sato asked on May 8, 2020 13:27

I want to set password expiration only for users with a certain role. I have confirmed that password expiration can be set for each site. https://docs.kentico.com/k11/managing-users/user-management

Does anyone know if it is possible with the Kentico function to set the password expiration date for each role? I think I can't ...

I am using Kentico version 11.

Correct Answer

Peter Mogilnitski answered on May 8, 2020 16:03

Password expiration is set at the user level and you have to enable it globally for all users. So technically you can, but like @Dmitry said you have to write some code. two ways:

  1. I would probably create a scheduled task that will revisit the newly created/updated users and set their password expiration based on role assigned to him or her.
  2. The other way is to use UserInfo event to see if assigned roles have changed and set expiration according to newly assigned user role (implement your logic).

Role and expirations you can save in settings or custom table. Personally I think second approach is better.

2 votesVote for this answer Unmark Correct answer

Recent Answers


Dmitry Bastron answered on May 8, 2020 15:19

Hi Toru,

I don't think it is possible via configuration only, probably will require customizing the code. If you need this customization for CMS admin users (not for frontend website users), you would need to look at the following code file \CMS\CMSPages\logon.aspx.cs - it contains the authentication code. Take a closer look at Login1_Authenticate and GetCallbackResult methods, my guess would be you can write your custom code here to check if the user is in specific role - unlocak his account if it is locked and let them in.

But you should be aware of the following - this is Kentico default pages and controls. If you customize these it means that during the upgrade you would need to take care of migrating this customization manually and do not forget it.

1 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on May 8, 2020 16:40

Out of the box this would not be possbile without some customizations. Since it already exists in the system per site, you could attmpt to use some of the APIs without turning it on but those APIs may check that setting to see if it's on or off.

Thinking of this quickly off the top of my head:

  1. Assuming you want to have one or may roles have password expirations, you may need a cross reference table for this so you don't have to hard code your roles.
  2. Create a global event handler upon login to see if that user is part of that role, then check if their password is expired or if their account is disabled because their password is expired.
  3. Create a custom scheduled task that runs every hour or day (whatever you see fit) that checks the CMS_UserSettings table for the UserPassswordLastChanged field to see if that date meets or exceeds your requirement. If so then update the User with the proper fields to disable them until they update their password.

There may be other things but this could get you moving in the right direction.

1 votesVote for this answer Mark as a Correct answer

toru sato answered on May 11, 2020 04:08

Thanks for the answer!

After all, I need to create custom Web Parts and events. I'll try!

It was helpful.

0 votesVote for this answer Mark as a Correct answer

toru sato answered on May 11, 2020 06:03

Let me ask you an additional question.

Is the password expiration calculated from the date and time of the last password change? Doesn't the deadline change every time a user logs in?

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.