Disable Console Access for Regular Users?

Original message was deleted

FFO•2/5/24, 4:44 PM

Hm @fabienne do you know of the top of your head if we have a distinc permission for the self-management for console? I think we had but I can't find it

FFO•2/5/24, 8:39 PM

this might also be interesting to you https://github.com/zitadel/zitadel/issues/7316

fabienne•2/6/24, 8:32 AM

We do not yet have something to restrict the self management.

fabienne•2/6/24, 8:33 AM

We only have one role that allows users to delete their own account

tafaust•9/2/24, 11:24 AM

Sorry for the necrobump, but how do your users login via e.g. Google or Github OIDC if the console access is blocked?

fabienne•9/2/24, 11:58 AM

where do they want to login?

fabienne•9/2/24, 11:58 AM

the console is the ui to manage the resources, but this doesn't mean they can't login in general

tafaust•9/2/24, 12:59 PM

I was looking at https://zitadel.com/docs/guides/solution-scenarios/restrict-console#self-hosted and the only thing that came to my mind is to either block the path /ui/console/ui/console or /ui/console/users/me/ui/console/users/me but that will also affect my IAM Owner and our B2B Org Owner user.

tafaust•9/2/24, 1:01 PM

I wonder how I can simply stop the users from my B2C Org to access the console so that they don't accidentally break their login. Should I put a middleware for my reverse proxy and block out all requests where the header x-zitadel-orgidx-zitadel-orgid equals the B2C Org id?

fabienne•9/2/24, 1:12 PM

it depends, if you look at this section, then you will have to give specific permissions to your users, this also means that if your admins do have the permission they will be able to use it: https://zitadel.com/docs/guides/solution-scenarios/restrict-console#restricting-console-in-default-project

ZITADEL Docs

ZITADEL includes a console that allows Managers to configure all resources. All uses, including end-users, by default, view and manage their profile information.

tafaust•9/2/24, 1:18 PM

Oh, I think it just clicked... Zitadel is using its own auth engine to service the console in the default project and I can just work with access + roles from there.

Thank you @fabienne !

fabienne•9/2/24, 1:19 PM

yes exactly. great, let me know if you get it to work.

tafaust•9/2/24, 1:22 PM

If someone runs into this section and is a slow thinker like me:
1) Create a role "console-access" in the default project
2) Grant the default project with the "console-access" role to your company org
3) Give your IAM Owner / Org Owner the "console-access" role
4) Profit

tafaust•9/2/24, 1:30 PM

Just for final clarification: I have to build my own login ui for my B2C users that communicates with the Zitadel API, right?

fabienne•9/2/24, 1:37 PM

Without more information i would say no.

fabienne•9/2/24, 1:38 PM

So with ZITADEL you also get a hosted login ui, this login ui can be used for all your applications and users, per default a lofin just checks authentication and not also authorization

fabienne•9/2/24, 1:39 PM

with the default and organization settings, you can configure what login possiblities the user have. e.g username password, 2fa, sso, etc. and also branding

fabienne•9/2/24, 1:39 PM

if you want to check for permissions additionally you have to configure that on the specific project