Roles
Out of the box, all CP users will have two factor enforced. This means all users will need to set up two factor.
Starting the 2.2, you can now optionally define specific roles that will have two factor enforced.
At this stage, changes to the Role enforcement configuration is only possible via the Two Factor for Statamic config file.
Super Admin
Any user who is a Super Admin will always need to have two factor enforced.
Always. Period.
Roles
To enforce Two Factor for specific roles only, you need to ensure you have published the Two Factor for Statamic config file:
1php artisan vendor:publish --tag=statamic-two-factor-config
This will create the config/two-factor.php
config file.
New in 2.2 is the enforced_roles
property - if you published the config file prior to 2.2, check out the source for full details.
Depending on how you configure this property, the behaviour of enforcement will change.
All Roles (aka All Users)
By default, the enforced_roles
property is null
.
This enforces two factor for all users of the CP.
Specific Roles
You can optionally change the value of enforced_roles
to be an array.
If you only want Super Admin (and no other CP user) to have two factor enforced, you can set this to be an empty array:
1'enforced_roles' => [],
Let's say you have a number of roles including Content Publisher and User Admin, and you want these to have two factor enforced. Simply place their handle in the enforced_roles
array:
1'enforced_roles' => [2 'content_publisher',3 'users_admin',4],
Not sure what your Roles handles are? Check out your resources/users/roles.yaml
file.
Opt-in for non-enforced Roles
For any Roles that do not have two factor enforced, users can optionally opt-in from their profile.