IAM (Identity & Access Management) importance


Just as a gentle reminder:

Hence ‘normal’ account management (expire, password policy) or SSO (convenience) does not cut it any longer. A good IAM solution is required/mandatory imho on all ‘levels’, small or big.

Hence I am very interested in Authentik: Authentik-SSO App for Nethserver 8

We do focus on threats from the outside e.g. NethSecurity/firewalls but we lack total control of resource users and their credentials and digital life on (closed) networks and who can access what, when and why?

Intelligence leaks are news on a daily basis! The biggest intelligence leaks in US history. all are ‘inside jobs’ made possible due to the lack of proper IAM.

Also more and more legislations, regulations and laws are holding companies/entities responsible for direct and indirect damage due to the lack of proper IAM implementation and living up to it. This can have a HUGE impact on the continuity of a business.

So this topic is not a technical issue but a management issue. BUT also, as professional courtesy, an important responsibility of the tech people to pro-actively advise and assist management.

Just saying…


Also a good reason most SME companies / Home users keep their Account provider NOT accessible from the Internet.

A good, sound policy, enough for most SME environments.

No real need for any IAM solutions. Exposing this to the Internet may be needed, but my clients aren’t Google, Facebook or any of the likes.

And for a simple SME / Home solution, I don’t see ANY need for allowing even a password change via the Internet.!

A hosted website, for examle with Wordrpress (I also use WP), doesn’t need any sync with any internal user base. Only the Webdesigner and maybe Management needs access to this at all! None of my SME clients even use / offer a Web shop.

My 2 cents

If you believe that, then I suggest you re-read the concepts and technics of Identity & Access Management. Ans SME’s may vary in size, complexity and importance. Is a doctors office with many medical files not to be considered an SME? A notary? Advocacy maybe?

I disagree and I believe practice has showed this over and over again.

Not sure what you ean by ‘this’, but IAM consists of many components for various situations e.g. B2B, C2B, Internal, external, legislation, regulations, mergers, agility, self portals, split offs, fraud experience etc. etc.

That may be, but others may have the need.

Could be, but IAM is not about syncing with an internal user base, it can go many ways, including the NS8 provided option to authenticate usage of NS8 resources against an IAM solution like Authentik.


Seriously? You can’t see how anyone might need that? Heck, my installation is pretty simple and I have that need–I’ve given mail accounts to some family members who don’t live with me, and I don’t want to give them access to my entire network (i.e., via VPN) when they need to change their passwords. Which is why I built a self-service-password module for NS7 (before Nethesis included it in NS7).

Your free opinion.

My opinion comes from working in security.

A standard practice was disabling ALL USB Storage options for all PCs since 1998.
None of my clients ever had any employees steal any noteable amount of data - like swiss banks had.

Throwing around Acronyms and Buzzwords sounds like you’re in the advertising business…

I don’t have an opinion about “others”. I have my clients.
And I have my own opinion.

And generally, here in Switzerland, clöoud usage isn’t very popular, at least among SME companies.

I do have clients in those mentionned branches, and all consider themselves as SME companies. None want their userbase exposed in any form.

And yes, a doctor’s practice CAN be involved in B2B: ordering medicaments for one, reading patients data from an associated hospital is another typical use. But both sides do not expose their userbase.

My opinion.

If you, somene never using an AD and never will, advocate using one size fits all, keeping everything open and public, you start sounding like Microsoft, and probably have their levels of “Low” security.

And no, I have worked in security too long to listen to foolish advice!
I’ve used account management since before 2000 (and probably long before you were aware that such a thing existed!) - and I keep current with the flow of things.

I don’t consider myself belonging to the category of Sheeple or Lemmings, nor do I respond to stupid Internet Challenges or stupid “Fads”.

A locked down server, in a closed environment where USB and other storage isn’t allowed, and has a null routed default gateway and no outside connection, all in a secure, locked environment is still not digitally accessible or hackable from outside of that room!. Out of band monitoring and alarming.
Only way to violate is access by force (break in) or forcing you at gunpoint to open up.

That’s basic security - and can be enhanced.

Enhancement can include enhanced perimeter security - and also extra perimetral security.
Ever thought about a fully operational nuclear Triad as extra perimertal security - say against any dictator’s will to use force?

As a VPS user, I don’t see you really advocating seriously any form of security. A simple permission elevation attack would allow any VPS user to hack a / misuse the whole system, not really a good basis for security.

AFAIK, there are only 3 frameworks used by hosters for VPS, and all three are only used in low security environments like hosters.

My 2 cents

I did specify SME / Home use. People living elsewhere are not considered Home, even if they are family or friends, at least in my book!
And I don’t quite see how giving access to mail allows anyone to access anything else in the network, even if using AD or LDAP as account provider. A simple group allowing mail_users will suffice!


I DO see use for account management, I have professionally done this sort of stuff since before 2000…
I am aware of use cases, but also of the caveats.

It strikes me as if you are constantly enforcing and pushing your opinion, your clients and your knowledge, and franticly ‘pulling rank’ on the basis of your experiences, all under the cover of your “2 cents” and “freedom of speech”. There is no need for this, it could well be that sometimes people are totally not interested in your opinion, your clients, your country, your experience, your 2 cents.

I don’t think less of you, I am just not interested in you hijacking almost every topic with this behaviour.

Same here
Pushing IAM

I thought I introduced this IAM post as a ‘gentle reminder’ in the chat category. Where is the ‘pushing’ in this? And one is totally free to ignore any subject or any post.

So from now I will ignore your posts, and you can have all your cents, ranks, opinions, clients, infinite wisdom, experience and attitude.

1 Like

The Devs have IAM on their radar. It will come when ready.
'nuff said as to ‘gentle reminder’…

I think you have too narrow a view of “home use.” Would you also say it isn’t “home use” because my server isn’t physically at my house, but rather a Contabo VPS in Nürnberg?

On the contrary, I’d say that if I have, e.g., kids who are away at college, their use of my server is still “home use.” If I give my parents email accounts, that still falls within “home use.” Heck, the domain I’ve had for the last 20 years is familybrown.org, so giving accounts to other members of my family seems quite reasonable. If you prefer, call it “personal use.” I can’t think, at least among people who run a server like this for personal purposes (admittedly a niche market), this is all that rare.

Or let’s look at the SME. A small business, especially post-COVID, can still have remote employees. Those employees can need access to assets on the server (e.g., email, CRM, Nextcloud) without needing to be, physically or virtually, on the LAN.

Users need to be able to change their passwords, right? Even if you aren’t using some stupid password expiration policy, a user needs to be able to change his password, and there’s no reason the admin should have anything to do with it–and the admin certainly shouldn’t know what it is. If, as you propose, the mechanism to do isn’t accessible on the Internet, that means that users need to be, physically or virtually, on the LAN. And that gives them some level of access to everything else on the LAN.

I do consider Home use a different use case from Family use. Your use cases all fall under family (or close family friends). All OK in my book, but call it family use, not Home use. The emphasis is on family, not centered on “Home”.

Here in Europe a VPS? No.

Most use for a home server is still files. A cloud solution doesn’t cut it for speed / latency issues, although Europe generally has fast Internet. 10x slower storage than a cheap USB disk? I don’t think you will find much such users…

It’s not only in the US that the large companies (not just Tesla) are forcing employees back to Office.
Here, especially the smaller companies need their employees in Office - and many employees prefer to work there (In a good environment, only, that’s clear! If the Boss is a backwards double SOB, I doubt it! :slight_smile: ).

I do agree with this statement, fully.

But this?

Where, exactly, do you read that in my statement?

Your self service solution was not really a IAM solution, was it?
Yet it allowed users to change passwords.

My point is: IAM is not needed to allow users to change passwords remotely via web - and per se doesn’t make this process any more secure.

However, your solution only allowed a password change, a misconfigured IAM would allow much more.

My 2 cents

I won’t argue about “most,” but I haven’t used my e-smith/SME/NethServer for that purpose, at least to any significant degree, for a very long time. NS is even less suitable than e-smith/SME was because it requires a full AD implementation in order to have any semblance of permissions for file shares. I use my NAS for this purpose; my NS box is really for web/mail.

Sure you will; it happens all the time. USB3 speeds are considerably faster than gigabit Ethernet, but people use local file servers all the time. And for that matter, they use cloud storage all the time. I doubt people are routinely using remote Neth servers for this purpose, but MS/Google/Apple clouds are very popular as you know.

No, but both within and outside .us, telework/remote work remains more common than it was five years ago. And some positions (most notably outside sales) have always been primarily remote.

In this:

As to this:

No, it wasn’t/isn’t–but I was responding only to your statement (quoted again above) that you don’t see any need for allowing password change over the Internet, not to the broader application of IAM.

A properly-configured IAM would also allow much more.

This is expletly for a “simple” solution - I do have quite a few SME clients who mostly work in the office, and certainly change passwords only when at the office… They do use smartphones for Mail / Calendar / Adressbooks (last two in Nextcloud).

Only about 40% of my clients support Remote (AKA Home Office) - Guacamole and others make this easy to provide - but they just don’t want it.

The two doctors use it, yes, but their partner at the practice does not. In both practices in the town of Zug…

Most employees find Home Office good / cool - but these are only the “office” workers.
The most have to do work, comprising of labor and office.

Even friends, having a server at home, only change their passwords when home.
(They do have VPN and could change it out of house, but so far, none have actually done it…)

I am aware that there are other use cases than my present clients.
But I’m also aware that the know-how to implement an IAM solution is often not there, Neither in the basics nor in the details, when it comes to security. At least in the most SME / Home environments, I’ll even add in Cloud and VPS users…

1 to 1 easy
1 to many, also easy
Many to many, opening Pandoras box!

Refering to the backend account directories…

My 2 cents