9. Limitations

The Guardian software stack is a product that the Univention software engineering team develops iteratively. This section describes the known limitations of each component.

9.1. Management API

9.1.1. App Center database limitations

Due to the limitations of the Univention App Center, only deploy the Management API once in each UCS domain. This is because each instance of the app gets its own database for the persistent data. Multiple instances of the app would mean that each instance would have its own set of apps, conditions, and roles. The App Center doesn’t prevent administrators from deploying as many instances of the Guardian Management API as they want. Keep this limitation in mind.

9.1.2. No object deletion

The Management API doesn’t allow to delete objects, with the exception of capabilities. This is due to the close relationship between the different object types and the complex consistency checks involved in a delete operation.

9.1.3. Policy endpoint is public

The endpoint in the Management API for downloading the policy data for decision making doesn’t require any authentication. The Authorization API uses this endpoint. Therefore, you must consider all data contained in the Management API as public information.

9.2. Authorization API

9.2.1. Limitation for with-lookup endpoints

The Guardian generally allows each client application to use its own structure for data that’s used for authorization. As long as the capabilities and conditions are created in a fashion that handles data correctly, there are no restrictions what the data must look like.

However, the with-lookup endpoints, which allow the Authorization API to fetch data from UDM on behalf of the app, are limited to the structure of actors and targets returned by the UDM REST API.

9.3. Management UI

9.3.1. Frontend-only pagination

The Management UI always fetches all objects in their respective list views. This might reduce performance in the Management UI if working with big datasets.

9.3.2. No typing for condition parameters

When you manage the capabilities of a role in the Management UI and edit the conditions, the parameters of those conditions aren’t typed. Therefore, it’s important to take extra care when entering the values for condition parameters.

If there are any problems with users not having the correct permissions as configured, this should be one of the first places to look. Make sure that there are no errors due to mistyped parameter values.

9.3.3. UCS Portal integration

Users can access the Management UI from the UCS Portal. It opens in a new tab in the web browser. Integration directly in the UCS Portal tab doesn’t work.