Delegated administration for management modules

4.5. Delegated administration for management modules#

By default, only members of the Domain Admins group can access all management modules. With a UMC policy, you can grant specific groups or individual users access to selected modules. This lets you delegate access without giving them full domain administration rights. For example, you can allow a helpdesk team to manage printers without letting them access user or group administration.

4.5.1. How delegated administration works#

A UMC policy defines a list of UMC operation sets. Each operation set covers one or more management modules and the actions you can perform in them. When you assign a UMC policy to a group or user, that group or user can see and use the modules the policy covers in the Management UI.

Policies combine. A user gains access from every UMC policy assigned to them directly, plus any policies assigned to the groups they belong to. For more information about how policies work in general, see Policies module in Nubus Manual 1.x [4].

Caution

The system only evaluates UMC policies assigned directly to user accounts, computer accounts, and groups. Nubus doesn’t evaluate nested group memberships—groups that belong to other groups.

4.5.2. Built-in UMC operation sets#

Table 4.1 describes the built-in operation sets for UMC policies. Use these when you create a UMC policy.

Table 4.1 Built-in UMC operation sets#

Operation set name

Module shown in the Management UI

Description

udm-all

All management modules

Grants access to all management modules.

udm-users

Users

Grants access to the Users management module.

udm-groups

Groups

Grants access to the Groups management module.

udm-computers

Computers

Grants access to the Computers management module.

udm-printers

Print shares

Grants access to the Print shares management module.

udm-shares

Shares

Grants access to the Shares management module.

udm-policies

Policies

Grants access to the Policies management module.

udm-mail

Mail

Grants access to the Mail management module.

udm-network

Networks

Grants access to the Networks management module.

udm-dns

DNS

Grants access to the DNS management module.

udm-dhcp

DHCP

Grants access to the DHCP management module.

udm-nagios

Nagios

Grants access to the Nagios management module for configuring NRPE host monitoring. Nagios server management isn’t available since UCS 5.2.

udm-navigation

LDAP directory

Grants access to the LDAP directory browser.

udm-reports

Grants the ability to create directory reports. Reports are available in the Users, Groups, and Computers modules under More ‣ Create report.

4.5.3. LDAP access rights#

A UMC policy controls which modules a user can see and open. For modules that read or write data in the LDAP directory, such as Users, Groups, or Print shares, the user also needs sufficient LDAP access rights.

By default, only members of Domain Admins and certain system accounts have write access to the LDAP directory. If a user can open a module through a UMC policy but doesn’t have the necessary LDAP access rights, the module displays a Permission denied error and blocks the changes.

For information about configuring LDAP access rights, see Access control for the LDAP directory in Univention Corporate Server - Manual for users and administrators [3].

4.5.4. Group access to management modules#

The following steps show how to create a UMC policy, assign it the operation sets you want, and link it to a group. The example uses the Print shares module and a helpdesk group.

4.5.4.1. Prerequisites#

Before you begin, verify the following conditions:

  • Sign in as a member of Domain Admins.

  • The target group must already exist. If not, create it in Users ‣ Groups first.

  • For modules that write to the LDAP directory, the group needs sufficient LDAP access rights. See LDAP access rights.

4.5.4.2. Create a UMC policy#

Follow these steps to create a UMC policy:

  1. Navigate to Domain ‣ Policies.

  2. Click Add.

  3. Select UMC as the policy type.

  4. Choose a container to store the policy in.

  5. Enter a name for the policy, for example helpdesk-printers.

  6. In the List of allowed UMC operation sets field, select the operation sets you want to grant. For printer administration, select udm-printers.

  7. Click Save.

4.5.4.3. Assign the policy to a group#

Follow these steps to assign the UMC policy:

  1. Navigate to Users ‣ Groups.

  2. Select the group, for example Helpdesk.

  3. Go to the Policies tab.

  4. In the UMC section, select the policy you created, for example helpdesk-printers.

  5. Click Save.

Members of the group can now see the Print shares module when they sign in to the Management UI.

See also

Policies module

in Nubus Manual 1.x [4] for information about how policies work and how to manage them.

Access control for the LDAP directory

in Univention Corporate Server - Manual for users and administrators [3] for information about LDAP access control lists.

On this page