| This privilege allows a user to turn on/off SSO configurations. It could allows a user to temporarily turn off SSO to allow for local logins. Someone with this ability to reset passswords could take over a local account. This is especially high risk where local users and their assigned roles aren't be disabled/de-provisioned (which happens in many cases given the assumption that SSO controls override the ability to log in locally). This also allows a user to configure password settings and other critical security configurations. |