Restrict the groups a group is allowed to edit

UCS - Univention Corporate Server
#1

Hi there,
as this is my first post here I wanna use this occasion to thank the developers and the community for such a graet product.

I would like to ask you for advice in the following situation:

I want to create a group of users (lets call them group-admins) that is responsible for assigning other users to groups and removing them again from those groups if necessary. I mananged to do this by setting up a policy that grants the permission to use the umc module groups and creating a group “group-admins” which is assigned to that policy. Users which are members of tht group can now log in and exclusively see the module groups. Nice!

Now the Problem is that they can assign themselves to other groups, like the domain-admins, which nullifies any security concepts.

Is there a way to restrict the “group-admins” to be able to edit just a specific set of groups or mark groups as exclusively be edited by “domain admins” os some method similar to that?

Thanks in advance and kind regards!

#2

I sit on the same problem atm. For some weird reason the User which has the umc-groups Policy can now see all the groups and add groups to an existing group but not users to a group. So the user can add the “Domain Admins” Group to his group and would get all the rights. Thats bad.

What I thought (and this works with pure LDAP access) is a LDAP ACL like this:

access to dn.regex="^cn=ou_([^,]+),cn=groups,@%@ldap/base@%@$" attrs=description,memberUid,uniqueMember
        by group/univentionGroup/uniqueMember="cn=MYGROUPADMINGROUP,cn=groups,dc=...=de" write
        by * +0 break

Which allows my “MYGROUPADMINGROUP” to edit the Description and all the members for all groups beginning with “ou_” but not more. Would be nice to have a documentation for the UMC Operations what they do exactly. Hope the ACL helps you in any way.

Mastodon