diff --git a/libs/common/src/admin-console/models/domain/organization.spec.ts b/libs/common/src/admin-console/models/domain/organization.spec.ts index ddf1010eea9..cc158c71056 100644 --- a/libs/common/src/admin-console/models/domain/organization.spec.ts +++ b/libs/common/src/admin-console/models/domain/organization.spec.ts @@ -111,6 +111,28 @@ describe("Organization", () => { expect(organization.canManageDeviceApprovals).toBe(false); }); + it("should return false when ssoEnabled is false", () => { + data.type = OrganizationUserType.Admin; + data.useSso = true; + data.ssoEnabled = false; + data.ssoMemberDecryptionType = MemberDecryptionType.TrustedDeviceEncryption; + + const organization = new Organization(data); + + expect(organization.canManageDeviceApprovals).toBe(false); + }); + + it("should return false when ssoMemberDecryptionType is not TrustedDeviceEncryption", () => { + data.type = OrganizationUserType.Admin; + data.useSso = true; + data.ssoEnabled = true; + data.ssoMemberDecryptionType = MemberDecryptionType.MasterPassword; + + const organization = new Organization(data); + + expect(organization.canManageDeviceApprovals).toBe(false); + }); + it("should return true when admin has all required SSO settings enabled", () => { data.type = OrganizationUserType.Admin; data.useSso = true; diff --git a/libs/common/src/admin-console/models/domain/organization.ts b/libs/common/src/admin-console/models/domain/organization.ts index aea796dfc39..f320a675b62 100644 --- a/libs/common/src/admin-console/models/domain/organization.ts +++ b/libs/common/src/admin-console/models/domain/organization.ts @@ -311,7 +311,12 @@ export class Organization { } get canManageDeviceApprovals() { - return (this.isAdmin || this.permissions.manageResetPassword) && this.useSso; + return ( + (this.isAdmin || this.permissions.manageResetPassword) && + this.useSso && + this.ssoEnabled && + this.ssoMemberDecryptionType === MemberDecryptionType.TrustedDeviceEncryption + ); } get isExemptFromPolicies() {