Hide rule-based password expiry for users missing required scopes

.changeset/lemon-pets-wait.md

@@ -0,0 +1,6 @@
+---
+"@wso2is/admin.validation.v1": patch
+"@wso2is/console": patch
+---
+
+Disable rule based password expiry for users without required scopes

apps/console/src/public/deployment.config.json

@@ -732,9 +732,7 @@
                         "console:loginAndRegistration"
                     ],
                     "read": [
-                        "internal_governance_view",
-                        "internal_group_mgt_view",
-                        "internal_role_mgt_view"
+                        "internal_governance_view"
                     ],
                     "update": [
                         "internal_config_update",

features/admin.validation.v1/constants/validation-config-constants.ts

@@ -41,6 +41,14 @@ export class ValidationConfigConstants {
         PASSWORD_MIN_VALUE: 5
     };
 
+    /**
+     * These scopes are checked to determine whether to display the new rule-based password expiry configuration UI.
+     * If these scopes are not available, legacy password expiry configuration will be shown for backward compatibility.
+     */
+    public static readonly RULE_BASED_PASSWORD_EXPIRY_REQUIRED_SCOPES: string[] = [
+        "internal_role_mgt_view",
+        "internal_group_mgt_view"
+    ];
 }
 
 /**

features/admin.validation.v1/pages/validation-config-edit.tsx

@@ -97,7 +97,6 @@ export const ValidationConfigEditPage: FunctionComponent<MyAccountSettingsEditPa
         state?.config?.ui?.isPasswordInputValidationEnabled);
     const disabledFeatures: string[] = useSelector((state: AppState) =>
         state?.config?.ui?.features?.loginAndRegistration?.disabledFeatures);
-    const isRuleBasedPasswordExpiryDisabled: boolean = disabledFeatures?.includes("ruleBasedPasswordExpiry");
     const featureConfig: FeatureConfigInterface = useSelector((state: AppState) => state?.config?.ui?.features);
 
     const [ isSubmitting, setSubmitting ] = useState<boolean>(false);
@@ -137,6 +136,10 @@ export const ValidationConfigEditPage: FunctionComponent<MyAccountSettingsEditPa
     const [ legacyPasswordPolicies, setLegacyPasswordPolicies ] = useState<ConnectorPropertyInterface[]>([]);
 
     const isReadOnly: boolean = !useRequiredScopes(featureConfig?.governanceConnectors?.scopes?.update);
+    const hasScopesForRuleBasedPasswordExpiry: boolean =
+        useRequiredScopes(ValidationConfigConstants.RULE_BASED_PASSWORD_EXPIRY_REQUIRED_SCOPES);
+    const isRuleBasedPasswordExpiryDisabled: boolean = disabledFeatures?.includes("ruleBasedPasswordExpiry")
+        || !hasScopesForRuleBasedPasswordExpiry;
 
     const {
         data: passwordHistoryCountData,
@@ -600,14 +603,21 @@ export const ValidationConfigEditPage: FunctionComponent<MyAccountSettingsEditPa
     ): void => {
         if (hasPasswordExpiryRuleErrors) return;
 
-        const processedFormValues: ValidationFormInterface = {
+        let processedFormValues: ValidationFormInterface = {
             ...values,
-            passwordExpiryEnabled: passwordExpiryEnabled,
-            passwordExpiryRules: processPasswordExpiryRules(),
-            passwordExpirySkipFallback: passwordExpirySkipFallback,
-            passwordExpiryTime: defaultPasswordExpiryTime
+            passwordExpiryEnabled: passwordExpiryEnabled
         };
 
+        if (!isRuleBasedPasswordExpiryDisabled) {
+            processedFormValues = {
+                ...values,
+                passwordExpiryEnabled: passwordExpiryEnabled,
+                passwordExpiryRules: processPasswordExpiryRules(),
+                passwordExpirySkipFallback: passwordExpirySkipFallback,
+                passwordExpiryTime: defaultPasswordExpiryTime
+            };
+        }
+
         const updatePasswordPolicies: Promise<void> = serverConfigurationConfig.processPasswordPoliciesSubmitData(
             processedFormValues,
             !isPasswordInputValidationEnabled