As an administrator I want to do Unattended installation, without creating an administrator user

[merijng]

According to the Unattended installation feature documentation...

We would like to do an unattended installation, without creating an administrator user. As far as I know, this is currently not possible within Umbraco. Creating the admin user, but immediately turning it off is also a good solution for us.

Let me explain the reason...
Companies like ours don't want to create admin users. Instead of an admin user, we couple our Umbraco instances to Identity providers (Azure Active Directory, Identity Server, OpenIddict, etc.), using OpenId.

For one environment, it is simple to disable the user account. However, when you do many unattended installations, this becomes a time consuming job. Moreover, this can become a security issue. For example when OpenId is coupled, but the dummy account is not disabled (forgotten, for example).

I don't want to get into political discussions. However, one way or another we are moving towards an era of identities. For example, look at the European digital identity, or the more capitalist versions like Github authentication and Metamask. Non-Personal Accounts are therefore old-fashioned.

[bergmania]

Currently the admin user id is used as default value in some APIs. We already discussed that we wanna get rid of this, but not having the admin user would potentially break a lot of things as of today.

The use case makes good sense, but I think the only real workaround short term, is to use an external login provider and disable local logins.

[merijng]

@bergmania Good to know that. However doing this process manually might still be a security risk, when dummy acounts get left enabled. So automating this is would be the best solution, in my opinion.

How about an option to disable the admin account on creation (unattended installation)? Just like below:

{
  "Umbraco": {
    "CMS": {
      "Unattended": {
        "InstallUnattended": true,
        "UnattendedUserName": "FRIENDLY_NAME",
        "UnattendedUserEmail": "EMAIL",
        "UnattendedUserPassword": "PASSWORD",
        "UnattendedUserDisabled": true
      }
    }
  }
}

And then change the documentation part, like this:

{
  "Umbraco": {
    "CMS": {
      "Unattended": {
        "InstallUnattended": true,
        "UnattendedUserName": "FRIENDLY_NAME",
        "UnattendedUserEmail": "EMAIL",
        "UnattendedUserPassword": "PASSWORD",
        "UnattendedUserDisabled": false
      }
    }
  }
}

Umbraco__CMS__Unattended__InstallUnattended
Umbraco__CMS__Unattended__UnattendedUserName
Umbraco__CMS__Unattended__UnattendedUserEmail
Umbraco__CMS__Unattended__UnattendedUserPassword
Umbraco__CMS__Unattended__UnattendedDisabled

I think it would be useful to keep this property optional so that upgrades don't break.

[bergmania]

I just fear people will end up locking them selves out 😢

Out of box, this makes less sense as this would require an external login provider to be enabled and configured in a way that some people end up in all user groups. Otherwise you will have user groups
nobody can join.