User disabling does not guarantee removal of all rights
The system does not remove all users rights when deactivating or suspending an user account. That means if the user find an alternative way to authenticate itself, in other system or even due to a failure in this system, it may have access to all its rights. Only disabling the account is not a strong security measure.
In the process of deactivation or suspension, the user account shall always lost all its rights. When it is reactivated again, it should recieve again the user rights by the usual workflow of approval for this concession of user rights.
Common Criteria: FMT_MSA.1, FMT_REV.1.