Univention-App-Highlights: Self Service for Smarter Administration

Welcome to our third dive into the world of Univention apps! In this blog
series, we regularly present exciting applications from our App Center. Today,
we’re featuring the Self Service
app – a tool
that significantly lightens the load for UCS admins by delegating certain
tasks directly to users.

Functionality of the Self Service App

Univention Corporate Server users can change their password anytime through
the portal – simply navigate via the hamburger menu to User settings and
select Change your password. The only requirement? You must be logged in and
remember your old password. If you’ve forgotten your password (let's hope you
haven’t written it down on a post-it note or your desk pad), you’ll need to
reach out to support. By default, there’s no button for password resets.

The Self Service app adds this missing feature and ensures that UCS users’
forgetfulness doesn’t become an extra job for admins or the help desk team.
But there’s more: the app also allows system administrators to enable users to
update their own profile details and even to authorize the creation or
deletion of accounts within the UCS environment.

Backend and Frontend: Installing Self Service

Strictly speaking, Self Service is composed of two apps: the backend and the
frontend. When you install the app from our App Center, the system notifies
you that the Self Service backend will also be installed. Next, you'll need to
decide which UCS computers in the domain will host the apps. The installation
wizard identifies suitable machines for both the frontend and backend,
allowing admins to tailor their choices via a drop-down menu or proceed by
clicking Continue.

Installation of Self Service app

---

Configuration of the service is managed through various UCR (Univention
Configuration Registry) variables, accessible via the System / Univention
Configuration Registry module. The upcoming sections will detail some of
these settings; for a comprehensive list including examples, refer to our
manual and the chapter User self services.

Self Service Modules on the Portal Page

You can access all Self Service modules at
https://www.example.com/univention/selfservice/. The tiles displayed vary
depending on your configuration. For instance, the tiles for self registration
and account deletion only appear if administrators have explicitly enabled
these features (refer to the section Self
Registration of this article).

Overview of the Self Service modules

---

Managing Passwords with the Self Service App

To enable the password recovery process for users, simply install the app. The
feature becomes available immediately because the UCR variable umc/self-
service/passwordreset/backend/enabled on the backend (in our example on the
primary directory node) is set to true.

Self-service function Forgot password

---

After clicking Forgot your password?, the system emails the user – let's say
Jonas – a link. For security reasons, this email does not include a new
password. Instead, it provides a link to a so-called token and the token
itself in plain text. Jonas can use this token to set his new password. By
default, the token is 64 characters long, but admins can modify this length
via the UCR variable umc/self-service/passwordreset/email/token_length. The
token remains valid for one hour, as specified by the UCR variable umc/self-
service/passwordreset/token_validity_period.

Self Service function Set new password

---

Sending emails to users requires that the mail system on the UCS server is
properly configured. The mail server must be capable of accepting and
forwarding emails without requiring a password. Alternatively, Self Service
can integrate with external programs, such as an SMS gateway. Various UCR
variables starting with umc/self-service/passwordreset/sms are used to
configure the sending of text messages.

Profile Management Made Easy

User accounts in the LDAP directory service store much more than just names
and email addresses; they also include personal data such as profile pictures,
private addresses, and other contact details. The Univention Directory Manager
(UDM) facilitates access to the LDAP directory service, enabling the
viewing, modification, deletion, and relocation of objects like users, groups,
computers, printers, and shares. Typically, only admins have the authority to
alter this data. However, Self Service enhances flexibility by allowing admins
to activate specific fields that users can then manage themselves.

These two UCR variables determine which attributes users can modify in their
own accounts:

• self-service/ldap_attributes : LDAP attributes that users can modify themselves; this variable needs to be configured on both the primary directory node and the backup directory nodes.
• self-service/udm_attributes : Users are permitted to edit these UDM attributes; ensure this variable is configured on all servers where the Self Service app is installed, including the Primary Directory Node.

A comma-separated list specifies the values for each variable. By default, all
fields are enabled, allowing you to tailor the list to meet your specific
needs easily.

It's also possible to establish write protection for certain UDM attributes.
Administrators should list these attributes in the self-
service/udm_attributes/read-only variable, which must be set on all hosts
where the app is installed, including the Primary Directory Node.
Additionally, it's crucial to remove the corresponding LDAP attributes from
the self-service/ldap_attributes variable to ensure they do not interfere
with the write protection of the UDM attributes.

By default, users are required to authenticate with their username and
password before they can edit their profile. If you wish to disable this
security measure, simply set the UCR variable umc/self-service/allow-
authenticated-use to false.

Self Registration: Your Gateway to a Personal User Account

With the Self Service app, system administrators can enable new users to
register their own accounts within the UCS environment. Although this feature
is seldom used in corporate or educational settings, it is particularly suited
for community projects that need Identity and Access Management (IAM)
capabilities. Initially, the feature is disabled upon installation, and
administrators must actively enable it. Configuration is managed through
various UCR variables on the backend, identified by prefixes starting with
umc/self-service/account-registration/:

• umc/self-service/account-registration/backend/enabled : (De)activates the self registration on the backend (default: false).
• umc/self-service/account-registration/frontend/enabled : (De)activates the tile Create an account on the frontend.
• umc/self-service/account-registration/udm_attributes : This includes a comma-separated list of UDM attributes displayed in the Create an account dialog; it must be configured on the backend.
• umc/self-service/account-registration/udm_attributes/required : Specifies a list of UDM attributes that are required; this setting is configured on the backend.

Once activated, a new Create an account tile appears on the Self Service
portal, opening a dialog where new users input their email address, password,
name, and username. Clicking on Create an account triggers an email to be
sent to the user, containing a verification token. This token, which is 64
characters long by default, allows users to complete their login process.

Self Service function Create an account

---

An additional security measure for SSO (Single Sign-On) is also in place:
it's possible to prevent SSO login for unverified, self-registered accounts.
Admins achieve this by configuring the UCR variable
saml/idp/selfservice/check_email_verification on the primary directory
node and all backup directory nodes. Notably, accounts created by a UCS admin
are not affected by this setting.

Deleting your own User Accounts

When administrators set the UCR variable umc/self-service/account-
deregistration/enabled to true , a new Delete my account button will
appear in the user’s profile settings under the My Profile dialog. Upon
clicking this button and confirming the security prompt, the UCS account will
be permanently removed.

Self Service function Delete account

---

Proceed at Your Own Risk

How much of your administrative workload are you willing to delegate to users
within the UCS domain? Should they merely have the ability to reset forgotten
passwords? Or perhaps you'll permit changes to profile pictures, email
addresses, and phone numbers? Could you even consider allowing new users to
register themselves and delete their own accounts? With the Self Service app,
you can offload all these tasks and precisely define who is allowed to do
what. This not only simplifies processes but also significantly eases the
burden on admins and help desk staff.

What have your experiences been with Self Service? Do you find the app to be a
helpful tool, freeing up time and resources by empowering users? We'd love to
hear from you! Share your stories with us and the broader community.

_Comment on this post and visit theUnivention Help
forum! _

Image source: Icon created by
Freepic from flaticon.com

Der Beitrag Univention-App-Highlights: Self Service for Smarter
Administration erschien zuerst auf
Univention.

link