Skip to main content

Prevent users from accessing ZITADEL console

ZITADEL includes a console that allows Managers to configure all resources. All uses, including end-users, by default, view and manage their profile information. In some use cases you want to prevent users from accessing the console, this could be:

  • User management is integrated into your own app
  • Users login via SSO and should not be able to change their data in the Console
  • Only managers should be able to access Console to manage their users

At the moment it is not possible to simply disable the Console but with the configuration described in this guide you can prevent users from accessing the Console.

Self-hosted

If you are running ZITADEL self-hosted we recommend to restrict the access to ZITADEL Console via WAF/reverse-proxy for Non-Manager users

ZITADEL Cloud (and self-hosted)

Default redirect url

One goal is to never send the end user to the ZITADEL management console. This does make sense if you build your own user profile page within your application. In that case you probably want to redirect the user to your own application, instead of to the console.

Read more about how to set the default redirect URI: Settings - Default Redirect URI

Restricting Console in default-project

With this workaround, you will limit users from accessing the default-project, if they are not explicitly granted to use this project. When setting the "Check for Project on Authentication" setting on a project, only users of organizations with a grant to that project can access it. By default, this setting is disabled, so all users can access the project.

Project Settings: Check for Project on authentication

Start by granting the organization of your managers, that should be able to access the Console, the default project:

  1. Click on the default-project > Grants > New + Project Settings: Default Project - Grants

  2. On the next screen select the organization to which you want to give the grant Project Settings: Grants - Choose Organization

  3. You can skip the screen with the role selection, and click save

  4. Make sure the grant is in now in the overview and marked as active.

To avoid accidental lock-out, the default project hides the checkbox "Check Project on Authentication" in the Console: Default Project

You need to use the update project API call to set the configuration on the project.

First you need a user with manager permissions to change the project settings in that organization. This means either you add the manager to the organization or you use a manager on the instance level with "IAM-OWNER" permissions. After that create a Personal Access Token (PAT) for the manager.

More detailed information about creating a PAT and manager roles you can find here

Then you have to send the following request:

curl -L -X PUT "https://$CUSTOM_DOMAIN/management/v1/projects/$PROJECT_ID" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H "Authorization: Bearer $PAT" \
--data-raw '{
"name": "ZITADEL",
"projectRoleAssertion": false,
"projectRoleCheck": false,
"hasProjectCheck": true,
"privateLabelingSetting": "PRIVATE_LABELING_SETTING_UNSPECIFIED"
}'

Where

  • CUSTOM_DOMAIN is your domain, f.e. mydemo.zitadel.cloud
  • PAT is your service user's personal access token
  • PROJECT_ID is the default-project's ID that can be found in Console, see screenshot above

You should now be able to login with users of organization that have the grant (in this example users of the organization "Customer-A"). All other users should see the following error message after authentication:

Console access restricted