## Story As a user with access to multiple OUs I want to select my current working OU so that I only see and manage data within that OU, and system queries remain efficient even in large environments. ## Context/description In the current implementation, when a user opens the "Users" module (e.g. UDM frontend), the system issues a broad LDAP query (e.g. "fetch all users"), and applies authorization **after** receiving the full result set. This approach does not scale in large environments with hundreds of thousands or millions of entries. To improve performance and usability, we must introduce **query scoping based on the user's current OU**. Key changes: - The system must determine the OUs for which the current user has access (e.g. as OU administrator). - The user must select an OU context (initially auto-selected) that restricts which data is loaded and shown. - All relevant backend queries must start at the selected OU level (e.g. `base_dn` scope in LDAP), not at the root. ## Acceptance criteria & steps for reproduction - [ ] Upon login, the system determines all OUs the user has access to (based on roles or group membership), this also applies for the "all" (ldap base) option, this should not an option for the search filter if the account does not have access. - [ ] If the user has access to multiple OUs: - [ ] The first OU is selected by default - [ ] The user can switch the current OU via a dropdown menu in the UI - [ ] All UDM/REST/API queries are scoped to the selected OU (e.g. using OU as base DN for search) - [ ] The backend is backward-compatible: - [ ] Calls without an explicit OU parameter still function as before - [ ] No behavior changes for users with access to only one OU - [ ] Documentation or UI hint explains the "current OU" context clearly to the user - [ ] The position filter must be displayed when there are multiple entries in the list an the first entry is not "Alle Container" - [ ] the "all" container can be disabled via UCR - [ ] Playwright tests are implemented and working
The default search container, which searches in "All containers" is now deactivatable via the UCR variable `directory/manager/web/modules/search/global-search`. Via `directory/manager/web/modules/search/default-search` the search is performed only in the configured default containers for the specific object type. This enhances the search performance and number of results in large environments. univention-management-console-module-udm.yaml ffabad2cd657 | chore(univention-management-console-module-udm): update advisory univention-management-console-module-udm (12.2.2) a3f46b7d5b04 | feat(udm-umc): Scope search for 'All Containers' queries univention-l10n-fr (6.2.0) a3f46b7d5b04 | feat(udm-umc): Scope search for 'All Containers' queries
Is i set "directory/manager/web/modules/search/default-search=true" the default container is selectable in the create object wizard Add a new user Container? Default Container We have to "remove" "Default Container" from the list of containers here (the all container is not in this list)
univention-management-console-module-udm.yaml bf840e4e409e | chore(univention-management-console-module-udm): update advisory univention-management-console-module-udm (12.2.3) 66ef061a6105 | feat(udm-umc): disable 'default container' in create wizard
OK - test (jenkins, manual) OK - yaml
<https://errata.software-univention.de/#/?erratum=5.2x130>