Prevent users from accessing ZITADEL console
ZITADEL includes a console that allows Managers to configure all resources. All uses, including end-users, by default, view and manage their profile information. In some use cases you want to prevent users from accessing the console, this could be:
- User management is integrated into your own app
- Users login via SSO and should not be able to change their data in the Console
- Only managers should be able to access Console to manage their users
At the moment it is not possible to simply disable the Console but with the configuration described in this guide you can prevent users from accessing the Console.
Self-hosted​
If you are running ZITADEL self-hosted we recommend to restrict the access to ZITADEL Console via WAF/reverse-proxy for Non-Manager users
ZITADEL Cloud (and self-hosted)​
Default redirect url​
One goal is to never send the end user to the ZITADEL management console. This does make sense if you build your own user profile page within your application. In that case you probably want to redirect the user to your own application, instead of to the console.
Read more about how to set the default redirect URI: Settings - Default Redirect URI
Restricting Console in default-project​
With this workaround, you will limit users from accessing the default-project, if they are not explicitly granted to use this project. When setting the "Check for Project on Authentication" setting on a project, only users of organizations with a grant to that project can access it. By default, this setting is disabled, so all users can access the project.
Start by granting the organization of your managers, that should be able to access the Console, the default project:
-
Click on the default-project > Grants > New +
-
On the next screen select the organization to which you want to give the grant
-
You can skip the screen with the role selection, and click save
-
Make sure the grant is in now in the overview and marked as active.
To avoid accidental lock-out, the default project hides the checkbox "Check Project on Authentication" in the Console:
You need to use the update project API call to set the configuration on the project.
First you need a user with manager permissions to change the project settings in that organization. This means either you add the manager to the organization or you use a manager on the instance level with "IAM-OWNER" permissions. After that create a Personal Access Token (PAT) for the manager.
More detailed information about creating a PAT and manager roles you can find here
Then you have to send the following request:
curl -L -X PUT "https://$CUSTOM_DOMAIN/management/v1/projects/$PROJECT_ID" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H "Authorization: Bearer $PAT" \
--data-raw '{
"name": "ZITADEL",
"projectRoleAssertion": false,
"projectRoleCheck": false,
"hasProjectCheck": true,
"privateLabelingSetting": "PRIVATE_LABELING_SETTING_UNSPECIFIED"
}'
Where
- CUSTOM_DOMAIN is your domain, f.e. mydemo.zitadel.cloud
- PAT is your service user's personal access token
- PROJECT_ID is the default-project's ID that can be found in Console, see screenshot above
You should now be able to login with users of organization that have the grant (in this example users of the organization "Customer-A"). All other users should see the following error message after authentication: