Restrict Access to UMC for users/groups

UCS - Univention Corporate Server
#1

Hey all,

in UCS you can restrict services like ssh, sudo … for users or groups (eg. Domain Admins) by setting ucr variables:

auth/.*/restrict: <empty>
auth/.*/group/.*: <empty>

I wonder if there is a way to do this with UMC as well?

Cheers
Sebastian

#2

Hey Sebastian,

the access to individual UMC modules can be confiured via policies, see: 4.9. Delegated administration for UMC modules — Univention Corporate Server - Manual for users and administrators

Best regards
Jan-Luca

#3

Hey Jan-Luca,

thank you very much for your reply. The Delegation isn’t exactly, what I was pointing to in my question. So I already delegated some parts of the UMC to a specific user group, that has limited access to an organizational unit in LDAP. In my scenario, I’d like to deny logins to the UMC for administrative Accounts (e.g. Administrator, Domain Admins) at all.

Cheers
Sebastian

#4

I am not sure if I understand correctly, but I see two possibilities for this:

  1. You can restrict the access to /management network-wise
  2. You can disallow access to any module, in this case an appropriate message is shown upon opening the UMC

What cannot be done is forbidding opening the UMC at all for some users, but the same functionality can be achieved by the listed methods imo.

Regards
Jan-Luca

#5

I’d like to achieve that an Administrator cannot log in via UMC. Similar to PermitRootLogin no in sshd_config, that allows non-priv users to login via ssh, but prohibits root to login.

Cheers
Sebastian

#6

Do you want to disallow any kind of web-interface login or just UMC access? The latter seems to be achievable by my listed suggestions, if no web UI access (e.g. a machine account) is wanted there is the possibility to use a simple authentification account: 6. User management — Univention Corporate Server - Manual for users and administrators

Last not least depending on the use case you could experiment with different kinds of deactivation, expiration or locks like user attributes or ppolicy, …

To prevent that we have a XY problem here: Why do you want to restrict the access in this way?

Regards
Jan-Luca

#7

Hi @jlk,
I’d like to allow logins for users of a specific user-group only via web-interface. For all others, especially users in groups like Domain Admins, login via web-interface should be disallowed :slight_smile:

Cheers
Sebastian

Mastodon