How to:
It is possible to define the default guidelines for the list of permitted UMC operations according to your own wishes.
Step 1: Default policies/umc
You can check and list the policies for umc via UDM
udm policies/umc list
Example:
root@dc0:~/univention-support# udm policies/umc list
DN: cn=default-umc-all,cn=UMC,cn=policies,dc=ucs5schoolhejne,dc=intranet
allow: cn=appcenter-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=diagnostic-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=join-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=lib-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=quota-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=reboot-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=services-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=setup-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=sysinfo-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=top-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=ucr-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=udm-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=updater-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=welcome-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=server-overview-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=apps-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolinstaller-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoollists-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolusers-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolwizards-users,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolwizards-classes,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolwizards-schools,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolwizards-computers,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolrooms-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolimport-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolexam-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=printers-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=computerroom-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=distribution-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=helpdesk-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=internetrules-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=lessontimes-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=printermoderation-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=oxldb-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=office365-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
ldapFilter: None
name: default-umc-all
DN: cn=default-umc-users,cn=UMC,cn=policies,dc=ucs5schoolhejne,dc=intranet
ldapFilter: None
name: default-umc-users
<skip>
In the UMC, you will find the policies in Domain/Policies.
Step 2: Restrict default policy
You have the option to customize a default policy so that, for example, school admins no longer have the ability to create or edit workgroups.
Example via UDM:
root@dc0:~/univention-support# udm policies/umc list --filter cn=ucsschool-umc-admins-default
cn=ucsschool-umc-admins-default
DN: cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoollists-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-class,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-teacher,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolusers-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolrooms-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolexam-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=computerroom-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=distribution-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=helpdesk-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=internetrules-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=lessontimes-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=printermoderation-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-workgroup-admin,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
ldapFilter: None
name: ucsschool-umc-admins-default
The operation schoolgroups-workgroup-admin can be removed so that a school admin no longer has the authorization.
Via UDM
udm policies/umc modify --dn cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,dc=ucs5schoolhejne,dc=intranet --remove allow="cn=schoolgroups-workgroup-admin,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet"
Example:
root@dc0:~/univention-support# udm policies/umc list --filter cn=ucsschool-umc-admins-default
cn=ucsschool-umc-admins-default
DN: cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoollists-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-class,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-teacher,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolusers-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolrooms-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolexam-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=computerroom-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=distribution-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=helpdesk-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=internetrules-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=lessontimes-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=printermoderation-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
ldapFilter: None
name: ucsschool-umc-admins-default
Via UMC
Step 3: Check the result with an school admin account
The output from the groups of my test school admin account m.muster
root@dc0:~/univention-support# udm users/user list --filter uid=m.muster | grep group
groups: cn=Domain Users mejneschool2,cn=groups,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
groups: cn=admins-mejneschool2,cn=ouadmins,cn=groups,dc=ucs5schoolhejne,dc=intranet
primaryGroup: cn=Domain Users mejneschool2,cn=groups,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
The output from the group admins-mejneschool2 for the school and the attribute univentionPolicyReference with the policy cn=ucsschool-umc-admins-default
root@dc0:~/univention-support# udm groups/group list --filter cn=admins-mejneschool2
cn=admins-mejneschool2
DN: cn=admins-mejneschool2,cn=ouadmins,cn=groups,dc=ucs5schoolhejne,dc=intranet
UniventionMicrosoft365ForceGroupType: 0
UniventionMicrosoft365GroupType: None
UniventionMicrosoft365Team: 0
UniventionOffice365Data: None
UniventionOffice365Profile: None
adGroupType: -2147483646
description: None
entryUUID: aff45754-ad4b-103e-8df9-4f3c59c6796b
gidNumber: 5301
mailAddress: None
modifyTimestamp: 20250103114413Z
name: admins-mejneschool2
networkAccess: 0
sambaGroupType: 2
sambaRID: 11603
school: mejneschool2
ucsschoolRole: school_admin_group:school:mejneschool2
univentionObjectIdentifier: None
univentionSourceIAM: None
users: uid=m.muster,cn=admins,cn=users,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
vlanId: None
univentionPolicyReference: cn=ucsschool-umc-admins-default,cn=UMC,cn=policies,dc=ucs5schoolhejne,dc=intranet
(Optional) Step 4: Create new group and policy
When it comes to the school modules, these are also defined via the respective group authorization. Therefore, if the default groups are not to be changed, I would recommend that a new group is created and set with a UMC policy so that the list of permitted UMC operations can be defined.
For example, it would look like this:
root@dc0:~/univention-support# udm policies/umc list --filter cn=test-lehrer
cn=test-lehrer
DN: cn=Test-Lehrer,cn=policies,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolrooms-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoollists-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolusers-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolexam-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=schoolgroups-class,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
allow: cn=computerroom-all,cn=operations,cn=UMC,cn=univention,dc=ucs5schoolhejne,dc=intranet
ldapFilter: None
name: Test-Lehrer
The default UMC policies can be used for orientation and the new policy can be created and defined as required.
You can create a new policy in the UMC/Domain/Policy.
Now create a new group in the groups module and set the created policy in Select policy configuration
