1. Introduction

Managing user permissions for a Univention Corporate Server (UCS) system is difficult and time-consuming. Historically, it has required knowledge of access control lists (ACLs), and applications have usually hard-coded permissions to specific roles such as the domain administrator.

The Guardian provides an alternative to this system, where applications can register user permissions, which UCS system administrators can then manage and organize in roles with an easy-to-use web interface. The applications in turn can then query the Guardian for authorization questions regarding specific actors and enforce app specific behavior in accordance with the administrator’s configuration.

For example, suppose that you run a business where you have a human resources department (HR) and an IT department. You want your human resources department to have different access permissions to installed applications than your IT department. You may want to give permissions to the head of your IT department to manage email, while only the head of HR can manage your vacation tracking application.

The Guardian provides a convenient way to manage these permissions, for applications that support integration with the Guardian.

Welcome to the Guardian manual. It explains how both UCS system administrators, as well as, developers of applications for a UCS system, can use the Guardian to manage what users can do in applications.

The Guardian manual addresses the following audiences:

• Guardian Administrators

• App Infrastructure Maintainers

• App Developers

1.1. Guardian administrators

A Guardian administrator in the context of this manual is a superuser who administers the Guardian after its installation, as well as, manages apps that integrate with the Guardian. A Guardian administrator is a subset of the guardian administrator role, which has limited capabilities to manage specific apps within the Guardian. Whenever this manual refers to an admininstrator, it either refers to the superuser, or a limited app administrator.

The Management UI section is for administrators.

This manual doesn’t assume any specific technical knowledge for administrators of the Guardian. When possible, all instructions use a web browser.

Note

Not all applications installed through the Univention App Center support the integration with the Guardian and can be managed through the Guardian. Refer to the manual of your specific application to see if it supports the Guardian.

1.2. App infrastructure maintainers

An app infrastructure maintainer in the context of this manual is a person who is responsible for installing and maintaining a UCS system and applications installed from the Univention App Center. This manual assumes some technical knowledge for app infrastructure maintainers, such as the ability to use the command line and read logging output.

The most relevant chapters for app infrastructure maintainers are the following ones:

• Installation

• Configuration

• Troubleshooting

1.3. App developers

An app developer in the context of this manual is a person in a company, or organization who develops either applications installed through the Univention App Center, or a third-party external service provider that in some way connects to a UCS system to provide services to users within that system, for example, using the UCS@school ID Connector.

An app is either an App Center application or a third-party external service provider, that integrates with the Guardian.

This manual presumes that app developers have high technical knowledge, including using a command line, writing code for software, and making calls to an API.

The most relevant chapters for app developers are the following ones:

• Management API and Authorization API

• Developer quick start

• Conditions Reference