While speaking with a colleague who is working in a small company he told me, that the lost track about user right management. They had a an excel table where they tracked all user groups and special rights users in the company have. But depending on some changes in the company structure, they got problems.

Is there any selfhosting software to manage usergroups, teams and userrights in a modern UI? It should be abe to set also data owner and so may keep track on non Active-Directory data.

!selfhost@lemmy.ml

  • moonpiedumplings@programming.devEnglish
    1·
    7 hours ago

    1. Use an Identity Provider (IDP)*. Other people have mentioned LDAP, which can play this role.

    2. Use groups within the IDP to declare who has what privileges.

    3. Apps using the IDP for auth can read the groups and allow/deny permissions based on groups.

    *Or Identity and Access Management if you are in the cloud ig.

    For open source solutions, I would recommend:

    • Authentik (what I use)
    • Kanidm (doesn’t have web ui)
    • Nubus by Univention

    These three solutions all have invites, ldap, and can act as oauth providers. (Oauth is single sign on), which are the features I want. There are also integrated, including it all in the one app.

    There is also LLDAP, which is a web ui for ldap, and then you could use a service that connects to that, like authelia or keycloak, to add oauth on top.

  • non_burglar@lemmy.worldEnglish
    5·
    2 days ago

    This is a problem solved for decades by LDAP. There are many, many management and audit frontends for LDAP.

    • Matt The Horwood@lemmy.horwood.cloudEnglish
      1·
      2 days ago

      LDAP is the Linux equivalent of a window domain controller, but it can be used by a wide variety of other systems as authentication and authorisation.

      Linux it’s self can use it too

      • non_burglar@lemmy.worldEnglish
        1·
        2 days ago

        LDAP is the Linux equivalent of a window domain controller

        I assume you meant “Active Directory”. AD is based on a heavily modified LDAP schema, but they are interoperable. AD adds a LOT of extra functionality on top of the auth part of it, however.

        Linux it’s self can use it too

        That’s why I suggested it.