Bug 52431 - configurable deactivation of fields in the school-user UMC module
configurable deactivation of fields in the school-user UMC module
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: UMC
UCS@school 4.4
amd64 Linux
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
Depends on:
  Show dependency treegraph
Reported: 2020-11-25 12:20 CET by rheyer
Modified: 2020-11-26 16:28 CET (History)
3 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Screenshot (50.05 KB, image/png)
2020-11-25 12:20 CET, rheyer

Note You need to log in before you can comment on or make changes to this bug.
Description rheyer univentionstaff 2020-11-25 12:20:47 CET
Created attachment 10566 [details]

Scenario: The school administrators should be able to deactivate users, but they should not be allowed to edit fields manually. This concerns first and last name, birthday, class and e-mail.
Comment 1 Ole Schwiegert univentionstaff 2020-11-25 12:29:39 CET
What is the reasoning behind this proposal?
Comment 2 rheyer univentionstaff 2020-11-25 12:36:18 CET
The inquiry comes directly from the customer. They wish that school administrators are only allowed to deactivate users but not to edit the mentioned fields.
Comment 3 Daniel Tröder univentionstaff 2020-11-26 08:33:08 CET
The feature request can be rephrased more broadly:

Make it possible to configure a list of fields that should be deactivated in the school-user UMC module.

Then domain administrators (or those with root access / UCR write access on the school-DC and the DC master) can disallow school-admins to change certain user attributes through the school-user UMC module.

@rheyer: There is a requirement that must be checked with the customer: The school-user UMC module exists on both the school-DC and the DC master. To completely limit the fields a school-admin can edit, both must be configured.
The question is then: should the field-limit on the DC master be valid for all schools (OUs) - and thus all school-admins of the domain, or only for certain (configurable) schools (OUs).
Comment 4 rheyer univentionstaff 2020-11-26 16:20:00 CET
The customer is 02149 and does not use the classic ucs@school concept with separate school DCs. In the DC-Master there are all entities which only serve the IDM. These are assigned per school by OUs. Therefore the field limitation should only be valid on the master for all school OUs and for all school administrators.

Is it possible to estimate the time needed for this request?