Univention Bugzilla – Bug 52431
configurable deactivation of fields in the school-user UMC module
Last modified: 2020-11-26 16:28:26 CET
Created attachment 10566 [details]
Scenario: The school administrators should be able to deactivate users, but they should not be allowed to edit fields manually. This concerns first and last name, birthday, class and e-mail.
What is the reasoning behind this proposal?
The inquiry comes directly from the customer. They wish that school administrators are only allowed to deactivate users but not to edit the mentioned fields.
The feature request can be rephrased more broadly:
Make it possible to configure a list of fields that should be deactivated in the school-user UMC module.
Then domain administrators (or those with root access / UCR write access on the school-DC and the DC master) can disallow school-admins to change certain user attributes through the school-user UMC module.
@rheyer: There is a requirement that must be checked with the customer: The school-user UMC module exists on both the school-DC and the DC master. To completely limit the fields a school-admin can edit, both must be configured.
The question is then: should the field-limit on the DC master be valid for all schools (OUs) - and thus all school-admins of the domain, or only for certain (configurable) schools (OUs).
The customer is 02149 and does not use the classic ucs@school concept with separate school DCs. In the DC-Master there are all entities which only serve the IDM. These are assigned per school by OUs. Therefore the field limitation should only be valid on the master for all school OUs and for all school administrators.
Is it possible to estimate the time needed for this request?