Stubbornness Does Not Suit us: Univention Breaks the Model of Roles for UCS and UCS@school

At Univention, we have been supporting school authorities and federal states, organizations from the private sector and public administration for many years with our powerful identity management. With its role and authorization concept, it is tailored to the needs of organizations with many users in a wide variety of contexts, whether schools, departments or branch offices.

The Advantages of UCS@school

As an extension of Univention Corporate Server (UCS), UCS@school offers many features that enable the central provision and administration of school infrastructure. At the same time, UCS@school eliminates the multitude of different user accounts that learners and educators use on a daily basis.

Rather than having to set up and maintain separate accounts for each individual learning application, the learning management system and on school devices, digital identities can be managed centralized in UCS@school. By linking external applications, users can access all integrated applications via the same login data.

Free the User

From our many customers in the school segment, we know that hardly any school is like another. For example, there are different pedagogical concepts and framework conditions in the various federal states, which have created a wide variety of roles and task profiles. But that’s not all. In education, we often see ourselves in completely different roles. For example, a teacher can teach at one school, take on administrative tasks at another school, and at the same time be a student at a vocational college. That means that this person fills different roles at each school, and thus also requires different authorizations in each school’s IT landscape. So far, it has not been easy to implement these scenarios using the UCS@school roles and rights model – not to mention individual roles that are only used in special types of schools. Previously, individual solutions had to be developed here, which are error-prone and require maintenance.

We think it is time to break up the existing model of roles. We want to enable school boards and state ministries to create exactly the roles they need themselves, and equip them with a freely defined authorization profile that remains flexible in the future. Of course, we continue to deliver predefined standard roles with UCS@school, with which a variety of scenarios can already be implemented and which can be adapted as needed. This will give you extensive scope for customization. As part of this process, we will be adding a few more new roles to our standard roles, and will include, for example, the roles “guardian” and “helpdesk staff”.

Not an easy task to trim a system for every imaginable role and combination of permissions, but we’re up for the challenge! This applies not only to UCS@school but also to our core product UCS.

A New Concept for Organizing and Evaluating Authorizations

Access privileges determine what a “role” is allowed to see and do. They decide which modules are displayed, which data, for example, a teacher may see from a pupil, or which actions may be performed by a “school admin” as opposed to a “domain admin”.

Exemplary representation of how access permissions can influence the display of attributes in the detail view.

Such access authorization rarely consists of simple “may” or “may not” rules. Instead, it is often also determined by set attribute values. Taken together, these determine whether or not a user is allowed to set a password for another user, for example. Currently, the conditions that must be met for an authorization to apply are predefined in UCS and UCS@school. This makes it difficult for administrators to intervene on their own.

To simplify this in the future, we combine the conditions and permissions in a bundle. When creating a new role, you can then directly access our predefined bundles or add or delete bundles for existing roles.

Access rights are then evaluated separately in the Open Policy Agent, a newly integrated open source component. This component ultimately decides whether access is permitted and what data may be displayed.

At our summit, my colleague Sönke Schwardt-Krummrich illustrated the intended architecture in a presentation (in German):

Front-end Display

Another requirement for this project is a flexible interface where information can be displayed and actions performed. In UCS and UCS@school, many of these actions and much information can be accessed via the Univention Portal, which is used by both administrators and non-technical staff.

To ensure that users in the Univention Portal only see the data intended for them, and can only perform the actions for which they have authorization, we must also reorganize our front-end modules. In the future, the interface must be able to react to different subsets of attributes and build an individual display.

Current development

Last year, we succeeded in laying the foundation for such an interface in a major customer project. We developed a new user and group module for UCS@school that meets the requirement for more flexible handling of access rights.

Not only did we come up with a technical concept for how all our modules in UCS and UCS@school will be structured from now on, but we also combined several UCS@school modules with one another. As a result, we no longer need to maintain numerous separate modules that often only perform one action, such as resetting student passwords or displaying a class list. Instead, all actions related to user objects, for example, can be performed in the new user module. Smart search and filter options help to quickly select or display the right objects.

This year, we focus on bringing the many puzzle pieces into our core product UCS and the two new modules into UCS@school. Both the new architecture for storing and reading out roles, including their authorizations, and the new modules will be gradually incorporated into the core product. We will certainly be working on this project for a longer period of time until all modules have been converted to the new concept.

Keep up to date with the new developments via our blog. If you do not want to miss anything, subscribe to our Newsletter.

You may also like to visit our YouTube Channel, where you will find recordings of the presentations of my colleagues and me on the roadmap of UCS and UCS@school (in German) as well as many other topics.