Greetings all! I recently joined a new job and part of my responsibilities are reviewing security audit results from our DataHub instance. My manager said we recently had a web application penetration audit done, and they're claiming they found sensitive information in our datahub instance. I thought we had things locked down pretty well, any ideas where they could have found it? This is all kind of new to me so I am trying to learn!

Hello @swift-farmer-36942, so I have just done some testing and have come up with the possible solution. In my datahub instance I had 4 users that I created in my OIDC. If I clicked in their respective 3 dots (to try to reset their password), as you pointed out, such option appears grayed out. So I invite a fictional user using a Share Invite Link. After the user putting its info and logging in, as the root user I am able to reset that user's password.

Hmh okay, it just seemed odd that the root user cannot do that. So I guess OIDC users vs metadata privileges (I hope that is right?) differ a little. If I create a new metadata user, then that should work. I will give it a go, thank you!