In this scenario, lets say 50-100 users should/must do 2fa. These users can be dynamic, which means that they could come and go for example. The tokenwizard/self-enrollment will be available for these users if they still don’t have a token. Actually, this can also be done through the policies and configuration of the ldap resolver using ‘Search Filter’. There we can input the users who are supposed to do 2fa. But this can be cumbersome if we keep on adding and removing entries in the filter list.
Since we are able to list all the >5000 users in ldap, the thought of having another attribute or a flag which the Helpdesk could just tag on or off came in.
Of course there may be other ways to make this easier or more comfortable.
– edit –
PS. I was browsing a few topics here and remembered i tested this in relation to ‘autoenrollment email/sms’. I was able to configure the system to do autoenrollment through event handlers, passthru, tokenwizard. The gist is that all users should be able to do autoenrollment via email/sms FIRST, only if a trigger is on --> this is the addtl attribute??