Documenting MFA Enforcement by Org

This was missed int he original development, but has subsequently been added while I was focused on the 5.4 updates. Just playing catch-up with the documentation
hazelcast · Feb 28, 2024 · 62e9887 · 62e9887
1 parent c266f00
commit 62e9887
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 34 deletions.
diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc
@@ -10,7 +10,6 @@
 * xref:developer-guide.adoc[Developer Guide]
 * xref:authorize-connections.adoc[Connectivity]
 ** xref:ip-white-list.adoc[IP Whitelist]
-* xref:jdbc-sample-client.adoc[Sample JDBC Client]
 * xref:developer.adoc[API keys]
 
 .Develop Applications
@@ -35,26 +34,32 @@
 * xref:tools.adoc[Developer Tools]
 
 .Organizations and Accounts
-* xref:organizations-and-accounts.adoc[Overview]
-* xref:organization.adoc[Organizations]
-** xref:create-account.adoc[Create an Account]
-** xref:update-organization-name.adoc[Update Organization Name]
-** xref:add-users.adoc[Add Users]
-*** xref:user-roles.adoc[User Roles]
-*** xref:invite-user.adoc[Invite User]
-** xref:remove-user.adoc[Remove User]
-** xref:delete-account.adoc[Delete Organization]
-** xref:payment-methods.adoc[Billing and Payments]
-*** xref:view-usage-and-bills.adoc[View Usage and Bills]
-*** xref:update-payment-method.adoc[Update Payment Method]
-*** xref:create-budget-tracker.adoc[Create or Edit Budget Tracker]
-* xref:users.adoc[Users]
-** xref:accept-invitation.adoc[Accept Invitation to Organization]
-** xref:view-organization-details.adoc[View Organization Details]
-** xref:view-and-update-profile.adoc[View and Update Profile]
-** xref:multi-factor-authentication.adoc[Multi-Factor Authentication]
-** xref:manage-api-key.adoc[Manage API Key]
-** xref:change-password.adoc[Change Password]
+* xref:organizations-and-accounts.adoc[Organizations and Accounts Overview]
+** xref:organization.adoc[Organization]
+*** xref:create-account.adoc[Create an Account]
+**** xref:sign-up-with-google.adoc[Sign Up with Google]
+**** xref:sign-up-with-github.adoc[Sign Up with GitHub]
+*** xref:update-organization-name.adoc[Update Organization Name]
+*** xref:multi-factor-authentication.adoc[Multi-Factor Authentication]
+*** xref:add-users.adoc[Add Users]
+**** xref:user-roles.adoc[User Roles]
+**** xref:invite-user.adoc[Invite User]
+**** xref:add-existing-user.adoc[Add Existing {hazelcast-cloud} User]
+*** xref:remove-user.adoc[Remove User]
+*** xref:delete-account.adoc[Delete an Account]
+*** xref:payment-methods.adoc[Billing and Payments]
+**** xref:view-usage-and-bills.adoc[View Usage and Bills]
+**** xref:add-payment-method.adoc[Add Payment Method]
+**** xref:update-payment-method.adoc[Update Payment Method]
+**** xref:create-budget-tracker.adoc[Create Budget Tracker]
+** xref:users.adoc[Users]
+*** xref:accept-invitation.adoc[Accept Invitation to Organization]
+*** xref:view-organization-details.adoc[View Organization Details]
+*** xref:view-and-update-profile.adoc[View and Update Profile]
+*** xref:accept-invitation.adoc[Accept Invitation to Organization]
+*** xref:user-mfa-settings.adoc[User MFA Settings]
+*** xref:manage-api-key.adoc[Manage API Key]
+*** xref:Change Password.adoc[Change Password]
 
 .Manage Clusters
 * xref:create-clusters.adoc[Create]

diff --git a/docs/modules/ROOT/pages/multi-factor-authentication.adoc b/docs/modules/ROOT/pages/multi-factor-authentication.adoc
@@ -1,12 +1,14 @@
 = Multi-Factor Authentication
-:description: Multi-factor authentication (MFA) adds another layer of security to your account. If enabled, instead of relying only on a username and password, MFA uses a trusted device to generate a secure digital identifier used to confirm your identity. By default, MFA is disabled.
+:description: If enabled at organization level, all users associated with the organization must enable Multi-factor Authentication (MFA). If disabled, users can choose whether or not to enable MFA for their sign-in. By default, MFA is disabled.
 :page-aliases: account-security.adoc
 :cloud-tags: Manage Accounts
 :cloud-order: 30
 
 {description}
 
-NOTE: If signing in with Google or GitHub, set MFA for those accounts and not for your {hazelcast-cloud} account. If you use social sign-in, MFA is not requested in the {hazelcast-cloud} console, even when enabled, as your username and password credentials have not been provided.
+Multi-factor authentication (MFA) adds another layer of security to your account. If enabled, instead of relying only on a username and password, MFA uses a trusted device to generate a secure digital identifer used to confirm your identity. 
+
+NOTE: If signing in with Google or GitHub, set MFA for those accounts and not for your {hazelcast-cloud} account. 
 
 [[enable]]
 == Enable Multi-Factor Authentication
@@ -36,19 +38,17 @@ To enable MFA, complete the following steps:
 
 include::partial$mfa-enable.adoc[]
 +
-You must now enter a username and password, and then provide the verification code using the authenticator app each time you sign in.
+. To enforce the use of MFA for all organization users, select the *Enforce for entire team* toggle 
 
-. Sign out of the Hazelcast {hazelcast-cloud} console
-. Sign in to your account using your username and password
-. Use your authenticator app to complete your sign in
+You and your organization users must now enter a username and password to sign in, and then provide the verification code using the authenticator app.
 
 include::partial$mfa-change-device.adoc[]
 
 [[disable]]
 == Disable Multi-Factor Authentication
 
-If you've enabled MFA, you can disable it at any time to sign in without an extra authentication step.
+If you've enabled MFA, you can disable it at any time to allow you and your organization users to sign in without an extra authentication step.
 
-To disable MFA, complete the following steps:
+To disable MFA for all users associated with your organization, complete the following steps:
 
 include::partial$mfa-disable.adoc[]
diff --git a/docs/modules/ROOT/pages/user-mfa-settings.adoc b/docs/modules/ROOT/pages/user-mfa-settings.adoc
@@ -0,0 +1,37 @@
+= User MFA Settings
+:description: If enforced at organization level, you must enable Multi-factor Authentication (MFA). If not enforced by your organization, you can choose whether or not to enable MFA for your sign-in. By default, MFA is disabled.
+
+{description}
+
+Multi-factor authentication (MFA) adds another layer of security to your account. If enabled, instead of relying only on a username and password, MFA uses a trusted device to generate a secure digital identifer used to confirm your identity. 
+
+[[enable]]
+== Enable Multi-Factor Authentication
+
+If MFA is enforced for your organization, you are prompted to enable MFA when you sign in. You cannot proceed until MFA is enabled. To enable MFA, complete the following steps:
+
+. Open the authenticator app on your device, and scan the QR code that is displayed in the {hazelcast-cloud} console 
+. Enter the six-digit verification code provided by the authenticator app in the {hazelcast-cloud} console
++
+You are signed in. 
+
+To enable MFA for your account if not enforced by your organization, complete the following steps:
+
+include::partial$mfa-enable.adoc[]
++
+You must now enter a username and password, and then provide the verification code using the authenticator app each time you sign in.
+
+. Sign out of the Hazelcast {hazelcast-cloud} console
+. Sign in to your account using your username and password
+. Use your authenticator app to complete your sign in
+
+include::partial$mfa-change-device.adoc[]
+
+[[disable]]
+== Disable Multi-Factor Authentication
+
+If your organization does not enforce MFA for all users, you can disable it at any time to sign in without an extra authentication step.
+
+To disable MFA, complete the following steps:
+
+include::partial$mfa-disable.adoc[]
diff --git a/docs/modules/ROOT/partials/mfa-disable.adoc b/docs/modules/ROOT/partials/mfa-disable.adoc
@@ -1,6 +1,6 @@
 . Sign into the link:{page-cloud-console}[{hazelcast-cloud} console,window=_blank]
 . Select *Account* from the side navigation bar
-. Select *Security* from the *Account* options
-. Select the *Disable* button
+. Select *Organization* from the *Account* options
+. Deselect the *Enable MFA* toggle
 
 A confirmation email is sent to the registered email address to confirm that MFA has been disabled.
diff --git a/docs/modules/ROOT/partials/mfa-enable.adoc b/docs/modules/ROOT/partials/mfa-enable.adoc
@@ -1,10 +1,10 @@
 . Install an authenticator app, such as Google Authenticator, on your device
 . Sign into the link:{page-cloud-console}[{hazelcast-cloud} console,window=_blank]
 . Select *Account* from the side navigation bar
-. Select *Security* from the *Account* options
+. Select *Ogranization* from the *Account* options
 +
-The Account Settings screen displays.
+The Organization screen displays.
 
+. Select the *Enable MFA* toggle
 . Open the authenticator app on your device, and scan the QR code that is displayed in the {hazelcast-cloud} console 
 . Enter the six-digit verification code provided by the authenticator app in the {hazelcast-cloud} console
-. Select the *Enable MFA* button