Limiting access for teachers to specific rooms
-
Hello!
We've got Veyon tied to our AD structure with rooms created by Computer OUs and "Restrict access to members of certain user groups" set.
What's the best way to limit access for different rooms to different users? I'd like, for example, the Computer Science teachers to have access to both of the CS rooms but no others, the Tech Ed teachers to have access to their desktop and their laptop labs, and our IT staff to have access to every workstation in AD. It seems like I should be able to manage that "from the top" using AD, but am not seeing how.
Suggestions?
Thank you!
Mike -
Hello @mikep345678
congrats for getting Veyon up and running including the AD integration! In your case you should use the more advanced access control functionality based on access control rules rather than simple user groups. You can then set up rules such as "Allow access if user is member of group X and computer is located in room Y". See the documentation at https://docs.veyon.io/en/4.1/admin/access-control-rules.html for detailsBest regards
Tobias -
Heya Toby,
I'd set up several access control rules to do what I thought should have worked, but-- instead when a teacher who is in the right group tries to sign in to Veyon Master, he is denied with the message, "according to local configuration you're not allowed to access computers in the network":
An access control rule looks like this:
(The first rule, "TS", checks if the Accessing User is a member of the Tech Services (IT) group; we can access any machine in our school district, and this does work. But, I need High School teachers to be able to control any lab machine in the HS but only lab machines in the HS, and same with our Middle School teachers...)
The user signing in to Veyon Master is a member of the AD group, "Veyon-HS". It doesn't matter whether he signs in on his teacher machine, which is in the HSE221 OU, or my administrative machine which is not in "HSE221"; he receives the access denied message either way.
Suggestions?
Thank you!
Mike -
Hi Mike,
-
Can you try to disable the "Accessing computer is localhost" condition? It could also be possible that Veyon can't map computers to rooms properly so it won't recognize a specific computer to be part of a particular room so access control eventually fails. In this case you should verify that all the LDAP integration tests work fine, especially "Get computer object by IP address" (resolving an AD entry from IP address) and "List all members of a computer room".
-
Have you tried the functionality for testing access control rules? Maybe you can spot any problems with different test inputs?
-
Additionally you can try whether you can access client computers even if the master computer thinks it can't access them. Simply turn off the "Perform access control at program start" option in the "Behaviour" tab of the master configuration page.
-
If nothing helps you can set the log level to debug and have a look at VeyonServer.log on the client computer which the access is denied to. This will give some information on which parameters are used to perform the access control. Search for lines starting with "AccessControlProvider".
Best regards
Tobias -
-
@tobydox, the authentication message appears when the teacher is attempting to sign in to Master. The message appears regardless of the "Accessing computer is localhost" setting. (The teacher isn't getting far enough into Master to determine if he can actually contact Client computers!)
Yes, testing access control rules passes. (I'd checked this before deploying! : )
What are the ramifications of turning off "Perform Access control at program start"? I understood that setting to control who can get into Master, but, are there other implications? (Obviously, "Master" isn't installed on student computers...)
Basically-- how do I define the set of AD users who are allowed to sign in to Master?
Thank you!
Mike -
The "Perform Access control at program start" option makes the Master application check whether the teacher is allowed to access computers at all. It's an additional check for convenience (which can lead to false positives, that's why you should try to disable it for the time being) but not strictly necessary as the actual access control is performed on client computers so that only authorized users will be granted access. If the option is disabled, anybody can start the Master but still will only be able to access clients he's really allowed to access.