Feature Request: Require justification to view/access login entry password

[wrongecho]

From: https://forum.itflow.org/d/424-login-entries-require-techs-enter-a-justification-to-access-passwords

Requires technicians to submit a justification (or valid ticket ref) the first time they access a specific login entry's password (per day/per X hrs since last accessed). There wouldn't be any sort of approval process, but the time, entry details and justification would be recorded in an audit log so satisfy security framework requirements. I was thinking this could be configurable per login entry.

Need to work out more details about how we'd implement this exactly.
Will require changing the way passwords are currently shown, meaning an overhauling the moving the population of the modal to ajax rather than built into the page

--

• Convert login view/edit modal to be dynamically populated (via ajax) - this lets us log when the login is loaded via the edit modal

• Work out how to implement logging for viewing passwords (currently they're echoed onto the page and then shown/copied via Javascript helpers) - we need a way to log views but still maintain the instant/quick copy function

  • Is it worth logging in the general audit logs every time a user loads client_logins.php as well? I don't see why it would hurt - would help highlight any compromised accounts, etc.
  • Determine if the logging for credential views should have its own table, given that audit logs may be cleared from time to time as per the retention policy and we want a custom 'justification' field.

• Each login entry has a checkbox to control whether to require a reason/justification to access the password. All related details are logged.

• The justification to access a login entry remains valid for a set period of time / for the next X views of the entry by the same technician

• Possibly future work: Additional checkbox for something like "Email ITFlow admins when this login entry is accessed"