1. Introduction#
Warning
Delegative administration is an experimental feature. Don’t use it in production yet. There are still many shortcomings and in particular things like configuration can and will change in upcoming releases.
This document describes the concepts, setup, and configuration of delegative administration for Univention Nubus and wants to enable experienced Nubus administrators to test this experimental feature.
With delegative administration Univention Nubus provides a mechanism that enables organizations to implement a decentralized model of managing the LDAP directory through the Management UI and the UDM HTTP REST API. It’s possible to assign roles to user objects. The roles define what a user can do to the LDAP directory through their user object, which objects the user can read, modify, create, or delete.
A common use case is a manager or administrator for an organizational unit within the directory service.
Users with such an assigned role can manage other user objects and group objects of a specific position in the directory service,
for example ou=bremen,dc=example,dc=org.
However, depending on the exact configuration,
users with such a role can’t manage or even see objects from other positions.
1.1. Feedback#
The Univention development team is happy to receive feedback to improve the experimental version of the delegative administration feature and to make it a helpful and supported addition to the Nubus product. For general feedback, use the feedback form. For feedback on explicit sections, use the section feedback that appears to the right of the section heading when you mouse over it.
1.2. Technical requirements#
The current implementation has the following technical requirements:
You need a UCS system with version 5.2-2 and the latest errata updates.
Delegative administration only supports the UCS system roles Primary Directory Node and Backup Directory Node.
1.3. Limits and known issues#
Important
Nubus supports delegated administration for the Management UI (UMC) and UDM HTTP REST API services. However, it isn’t available for the UDM command-line interface.
Delegative administration is in an early development stage and many things are still missing or not fully implemented, with several missing or incomplete features. Beware the following limitations:
This is a minimal viable product intended for testing purposes only, without a stable update path for setup or configuration. Don’t use it in production, yet.
Use it only in UCS environments with up to 2,000 directory objects.
The configuration and customization may break any time.
Delegative administration only supports authorization between the UMC, the UDM HTTP REST API, and the LDAP directory. Specifically, it has no effect on which modules users can see or use in the UMC or UDM HTTP REST API, such as the user or group management modules. Rather, it only affects what users can do with these modules. You must configure which modules users can see and use separately.
For information about UMC, see Delegated administration for UMC modules in Univention Corporate Server - Manual for users and administrators [1].
For information about the UDM HTTP REST API, see UDM HTTP REST API in Nubus for Kubernetes - Customization and Modification Manual 1.x [2].
1.4. Features#
Delegative administration offers the following features:
Role-based authorization in UDM validates on the basis of the role definition if the actor has the permission to do what they want to do when the actor accesses the LDAP directory through the UMC user and group management modules.
Administrators can define roles and assign them to user and group objects. Group members inherit the roles assigned to their group. Therefore, you can implement authorization based on group membership.
Every role defines a list of permissions. Permissions define what a role can do in the directory.
The UDM library checks the authorization for the roles of the signed-in user before accessing the directory database or returning directory objects from the database.
1.5. Roles for delegative administration#
UCS provides the following default roles for delegative administration:
udm:default-roles:domain-administratorCan perform CRUD operations for every object on every position in the directory.
udm:default-roles:organizational-unit-adminCan perform CRUD operations on user and group objects on a particular position in the directory.
udm:default-roles:linux-ou-client-managerCan perform CRUD operations on objects of type
computers/linuxon a particular position in the directory.
udm:default-roles:helpdesk-operatorCan reset the password for user objects in a particular position in the directory.
udm:default-roles:domain-userCan read their own object.
udm:default-roles:self-service-profileCan modify with own profile information.