Following the release of Guardian earlier this year, we are continuing our journey to raise the role and rights model of our products to a new level. We are excited to share the next steps in this exciting evolution with you.
How the Guardian Apps work together
Guardian is at the center of our flexible role management and takes over the authorization check in Nubus, UCS and UCS@school. Guardian enables the simple administration of roles via a graphic user interface (GUI). But its range goes far beyond this. The illustration below shows the connection between the three components of the Guardian (Authorization API, Management API and Management UI) and other parts of the product.
When an app is opened and operated by a user (actor), the Guardian Authorization API retrieves information about the logged-in actor’s authorization based on their role. These authorizations are stored in a PostgreSQL database and can be queried, saved or edited via the Guardian Management API. The same API is therefore also used by the Guardian Management UI, which provides users with a simple web module to conveniently create and edit roles. The separation of the UI and the management API also offers the advantage that the UI does not necessarily have to be used. Instead, external applications could be connected to take over this role.
Ultimately, the authorization profile of the actor’s role is transferred to the connected Open Policy Manager, which performs the final evaluation and reports back to the app what the user is permitted to do in this app. As these authorizations can be defined very granularly on the basis of any attributes. The Open Policy Manager may require more data for the evaluation than the app itself can provide. Therefore, the Authorization API retrieves all additional information directly from the LDAP so that the Guardian can operate autonomously.
My colleague Daniel Tröder explained how this works in detail at the Univention Summit 2024. Take a look at his presentation if you weren’t there, it’s well worth it:
In addition, a detailed documentation is available, which you can find in the Guardian manual. We look forward to your feedback in personal exchange or in the comments below this article!
To ensure that every app uses Guardian as the governing instance for authorization requests, all modules and applications must be adapted accordingly. This process has already begun and we are pleased that selected customers and partners from the education sector are currently testing the alpha release of the new school user module.
Trial Phase with our Early Birds
We are working intensively with a group of early birds to improve the usability of the Guardian and the new school user module. We are also exploring further use cases for additional roles and determining which functionalities are required for these.
Here’s a sneak preview of role administration with the Guardian Management UI:
1) Overview of the roles:
2) Capabilities of the role teacher:
3) Mask for adding a new authorisation that allows teachers to reset the passwords of other teachers at the same school. Here it is selected in which app (school user module) this applies and which conditions must be met (target has the same teacher role and is at the same school):
4) The authorisation is now selected from the list:
5) Complete mask, which is then saved and immediately activated:
The first workshops have already taken place and both we and our early birds have gained valuable insights. Many participants in our test series were impressed by the possibilities that Guardian opens up. By granularly setting permissions to individual or multiple schools, tasks that were previously only done by central administrators can be delegated to the school administrators. This can make administration more efficient, as fewer support tickets accumulate centrally and shorter processing times can be expected for users at the schools.
The workshops will be completed by the end of this month, after which further use cases will be integrated. Stay tuned to our blog, where we will provide you with regular updates on the project.
A big thank you to the early birds who are contributing their experience and expertise to help shape the next evolving stage of our products. We hope you are as excited as we are. Please feel free to leave your feedback on the topic in the comment section or in person. Together we will shape the future of your access management!
