6.11. Restrict users or groups from capabilities in End User Self Service#
Nubus for Kubernetes includes the functional component End User Self Service for users to manage attributes of their user accounts on their own, such as their password or their profile details.
This section is for operators who want to prohibit certain users or user groups from using the password reset or the profile data capabilities in the End User Self Service. With the profile data capability, users can manage the attributes of their profile on their own, such as a profile picture.
In the default configuration of Nubus for Kubernetes,
user accounts in the user groups Domain Admins and Administrators
can’t use the password reset and the profile data capabilities.
To enable either capability for the user group Domain Admins
use the following steps as an example.
In principle, they change the default settings for the End User Self Service.
Depending on your scenario, choose one of the following listings to prohibit either user accounts or user groups from using a capability, and add the respective lines to your
custom_values.yamlvalues file.The block list is a comma-separated list of usernames or of user group names. The default value for the user group names in the password reset capability, as well as, in the profile data capability is
Administrators,Domain Admins.Block lists
- Block list for password reset for users or user groups
Add the lines in Listing 6.28, that apply to your use case.
global: configUcr: umc: self-service: passwordreset: blacklist: users: TheUsersWhoMayNotUsePasswordReset groups: Administrators
- Block list for profile data for users or user groups
Add the lines in Listing 6.29, that apply to your use case.
global: configUcr: umc: self-service: profiledata: blacklist: users: TheUsersWhoMayNotUseProfileData groups: Administrators
Allow lists
- Allow list for password reset for users or user groups
Add the lines in Listing 6.30, that apply to your use case.
global: configUcr: umc: self-service: passwordreset: whitelist: users: TheUsersWhoMayUsePasswordReset groups: Administrators
- Allow list for profile data for users or user groups
Add the lines in Listing 6.31, that apply to your use case.
global: configUcr: umc: self-service: profiledata: whitelist: users: TheUsersWhoMayUseProfileData groups: Administrators
Note
The End User Self Service evaluates the lists in the following order. The first match determines the decision.
The block list for the users.
The block list for the user groups.
The allow list for the users.
The allow list for the user groups.
If no allow list exists, the End User Self Service grants permission to use the capability by default. If an allow list exists, the End User Self Service denies the use of the capability by default.
That means, if any one or both of the allow lists exist, the allow lists must include either the username or the group name for the End User Self Service to provide the respective capability to the user.
To activate the changes, you need to apply the configuration as described in Apply configuration.
To apply the changes, you need to restart the UMC Server pod in the Management UI. Use the commands in Listing 6.32. They find out the name of the pod for the UMC Server and delete the pod. Kubernetes automatically creates a pod with the updated configuration.
$ kubectl --namespace "$NAMESPACE_FOR_NUBUS" \ get pods \ | grep "umc-server-0" nubus-umc-server-0 2/2 Running 0 4m33s # Name of the pod is "nubus-umc-server-0" $ kubectl --namespace "$NAMESPACE_FOR_NUBUS" \ delete pod "$NAME_OF_YOUR_POD"
See also
- End User Self Service
in Univention Nubus for Kubernetes - Architecture Manual [2] for an architectural overview of the End User Self Service.