Hello!
It’s not simple to describe…
The admin used to update/add in this example is always the
“first” (full admin).
For example editing superuser policy (the first) I receive that error.
Also creating a new policy (webui) with User-Realm and User-Resolver
selected (example “realm = a, b” + “resolver = a-mysql, b-mysql”) I
receive the error.
Instead creating a new policy (webui) without User-Realm and
User-Resolver I can add it.
Certainly there is some problem with policy and multiple admin/realm
context.
Let me know if you need other details and excuse me if my description
was not clear
Thank you!
Sim
On Tuesday, May 10, 2016 at 12:08:05 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,
sorry, I was not clear enough.
Yes, you configured these two policies.
But AFTER you configured and saved these policies, you
obviously try to
write another policy and you get
"Admin actions are
defined, but the action policywrite is not allowed!"
So which administrator tries to write what policydata.
I need the administrator and the data of the third policy.
Kind regards
Cornelius
Am Dienstag, den 10.05.2016, 02:28 -0700 schrieb
simv...@gmail.com:
> Hello Cornelius,
> the policy are as my first post:
>
> Name = superuser
> scope = admin
> action = set, revoke, adduser, enrollSMS, policydelete,
policywrite,
> enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin,
resync,
> unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER,
deleteuser,
> enrollEMAIL, resolverdelete, enrollMOTP, enrollPW,
enrollHOTP,
> enrollQUESTION, enrollCERTIFICATE, copytokenuser,
configwrite,
> enrollTOTP, enrollREGISTRATION, enrollYUBICO,
resolverwrite,
> updateuser, enable, enrollU2F, manage_machine_tokens,
getrandom,
> userlist, getserial, radiusserver_write,
system_documentation,
> caconnectordelete, caconnectorwrite, disable,
mresolverdelete,
> copytokenpin, enrollRADIUS, smtpserver_write,
set_hsm_password, reset,
> getchallenges, enroll4EYES, enrollYUBIKEY,
fetch_authentication_items,
> enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY,
importtokens,
> assign, delete
> realm = a, b
> resolver = a-mysql, b-mysql
> user = admin
>
> Name = admin_b
> scope = admin
> action = set, revoke, adduser, resync, unassign,
tokenrealms,
> deleteuser, enrollTOTP, enrollREGISTRATION, updateuser,
enable,
> userlist, getserial, disable, reset, getchallenges,
losttoken, assign,
> delete
> realm = b
> resolver = b-mysql
> user = admin_b
>
>
> Administrator "admin" can't edit/add/change anything.
> For example I can't add a new "generic" policy or edit the
first
> policy.
>
> Thanks again
>
> ---
> Sim
>
>
> On Tuesday, May 10, 2016 at 10:25:56 AM UTC+2, Cornelius Kölbel wrote:
> Hi Sim,
>
> the enrollment thing was a pure UI problem.
>
> The error "Admin actions are defined, but the
action
> policywrite is not
> allowed!" is coming directly from the policy
checking of the
> server.
>
> I assume this is a side effect from the policy you
are
> creating.
> I further assume, you are creating a policy with a
realm set
> and he is
> mistaking this realm for the administrators realm.
>
> Can you please provide the data of the policy, you
are trying
> to set?
>
> Thanks a lot
> Cornelius
>
> Am Dienstag, den 10.05.2016, 00:36 -0700 schrieb
> simv...@gmail.com:
> > Hello
> >
> > I've patched manually
this: /privacyidea/lib/policy.py
> >
>
(https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)
> >
> > The "Tokens -> Enroll token -> Enroll a new token"
now work
> correctly,
> >
> > but "Config -> Policies -> EDIT/CREATE" show me:
"Admin
> actions are
> > defined, but the action policywrite is not
allowed!"
> >
> > I'm not sure if this is the same problem or not.
> >
> > Thank you!
> >
> > ---
> > Sim
> >
> >
> > On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel wrote:
> > Hi Sim,
> >
> >
> > In theory this is right. See my latest
email.
> > As far as the empty token type drop down
is
> concerned, this is
> > a UI bug.
> > So using the REST API should work.
> >
> >
> > Yes, login mode disable will not block
API.
> > (Afaik)
> >
> >
> > Local admins can always login. Independent
on the
> login mode.
> >
> >
> > Kind regards
> > Cornelius
> >
> >
> >
> >
> >
> >
> > Cornelius Kölbel
> > Corneliu...@netknights.it
> > +49 151 2960 1417
> >
> >
> > NetKnights GmbH
> > http://netknights.it
> > Landgraf-Karl-Str. 19, 34131 Kassel,
Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> > -------- Ursprüngliche Nachricht --------
> > Von: simv...@gmail.com
> > Datum: 09.05.2016 16:22 (GMT+01:00)
> > An: privacyidea
<priva...@googlegroups.com>
> > Betreff: Re: [privacyidea] Add a second
admin for
> use with a
> > single realm
> >
> > Hello Cornelius,
> > currently I have a production server and
a
> development server
> > but both installed with apt-get.
> > It is not urgent, but can I ask you if
this is the
> correct
> > way? I need a "sub-administrator" for a
specific
> realm to use
> > ONLY with REST/API.
> > Otherwise I can create user in that
local-realm, add
> a Policy
> > scope: admin with that user (as my
example) and
> increase
> > security with a Policy webui
{ "login_mode":
> "disable" }.
> > In this way I'll block web access, but not
REST/API
> functions.
> > With "pi-manage admin add" the user will
be also
> able to
> > connect to web
> > Right?
> >
> > Thanks again
> >
> > ---
> > Sim
> >
> >
> >
> > On Monday, May 9, 2016 at 3:56:19 PM UTC +2, Cornelius Kölbel wrote:
> > Hi Sim,
> >
> > this seems due to the fact, that
the realm
> of the
> > admin is falsely used
> > as the user_realm when searching
for the
> policies.
> > Your admin is in no realm, so a
policy with
> an empty
> > user realm is
> > search. But your policy contains
correctly
> realmB.
> >
> > -> Bug with mixing up admin realm
and user
> realm.
> >
> > If you are willing to pull the git
repo, I
> will be
> > able to provide a fix
> > shortly.
> >
> > Kind regards
> > Cornelius
> >
> > Am Montag, den 09.05.2016, 05:59 0700 schrieb
> > simv...@gmail.com:
> > > Hello!
> > > I need to create a "sub-admin"
with
> administrative
> > power only for a
> > > specific realm.
> > >
> > > I've created two admin users
with
> "pi-manage
> > admin".
> > >
> > > # pi-manage admin list
> > > _Name email_
> > > admin None
> > > admin_b None
> > >
> > > Admin is the standard/full
administrator
> and admin_b
> > is the
> > > administrator for realm "b".
> > >
> > > These are the two policy
created:
> > >
> > > Name = superuser
> > > scope = admin
> > > action = set, revoke, adduser,
enrollSMS,
> > policydelete, policywrite,
> > > enrollTIQR, configdelete,
machinelist,
> enrollREMOTE,
> > setpin, resync,
> > > unassign, tokenrealms,
enrollSPASS,
> auditlog,
> > enrollPAPER, deleteuser,
> > > enrollEMAIL, resolverdelete,
enrollMOTP,
> enrollPW,
> > enrollHOTP,
> > > enrollQUESTION,
enrollCERTIFICATE,
> copytokenuser,
> > configwrite,
> > > enrollTOTP, enrollREGISTRATION,
> enrollYUBICO,
> > resolverwrite,
> > > updateuser, enable, enrollU2F,
> > manage_machine_tokens, getrandom,
> > > userlist, getserial,
radiusserver_write,
> > system_documentation,
> > > caconnectordelete,
caconnectorwrite,
> disable,
> > mresolverdelete,
> > > copytokenpin, enrollRADIUS,
> smtpserver_write,
> > set_hsm_password, reset,
> > > getchallenges, enroll4EYES,
> enrollYUBIKEY,
> > fetch_authentication_items,
> > > enrollDAPLUG, mresolverwrite,
losttoken,
> > enrollSSHKEY, importtokens,
> > > assign, delete
> > > realm = a, b
> > > resolver = a-mysql, b-mysql
> > > user = admin
> > >
> > > Name = admin_b
> > > scope = admin
> > > action = set, revoke, adduser,
resync,
> unassign,
> > tokenrealms,
> > > deleteuser, enrollTOTP,
> enrollREGISTRATION,
> > updateuser, enable,
> > > userlist, getserial, disable,
reset,
> getchallenges,
> > losttoken, assign,
> > > delete
> > > realm = b
> > > resolver = b-mysql
> > > user = admin_b
> > >
> > > Logging in with "admin" (via
WEB) I can
> manage
> > users/settings, but
> > > NOT:
> > >
> > > - Enroll a new token (the list
of TOKEN
> type is
> > NULL)
> > > - Edit the Policy (REPLY: Admin
actions
> are defined,
> > but the action
> > > policywrite is not allowed!)
> > >
> > > Logging in with
"admin_b" (always via WEB)
> the
> > options are limited
> > > but:
> > >
> > > admin_b can't see users for
realm "a", but
> can
> > create users for that
> > > realm ("a")!
> > >
> > > Removing the two policy "admin"
and
> "admin_b" can do
> > everything.
> > >
> > > Which is the best setting for
create
> administrative
> > account for use
> > > one specific realm by API?
> > >
> > > Thank you very much!
> > >
> > > ---
> > > Sim
> > >
> > > --
> > > Please read the blog post about
getting
> help
> > >
> https://www.privacyidea.org/getting-help/.
> > >
> > > For professional services and
consultancy
> regarding
> > two factor
> > > authentication please visit
> > >
> >
>
https://netknights.it/en/leistungen/one-time-services/
> > >
> > > In an enterprise environment you
should
> get a
> > SERVICE LEVEL AGREEMENT
> > > which suites your needs for
SECURITY,
> AVAILABILITY
> > and LIABILITY:
> > >
> >
>
https://netknights.it/en/leistungen/service-level-agreements/
> > > ---
> > > You received this message
because you are
> subscribed
> > to the Google
> > > Groups "privacyidea" group.
> > > To unsubscribe from this group
and stop
> receiving
> > emails from it, send
> > > an email to
> privacyidea...@googlegroups.com.
> > > To post to this group, send
email to
> > priva...@googlegroups.com.
> > > Visit this group at
> >
> https://groups.google.com/group/privacyidea.
> > > To view this discussion on the
web visit
> > >
> >
>
https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.
> > > For more options, visit
> >
https://groups.google.com/d/optout.
> >
> > --
> > Cornelius Kölbel
> > corneliu...@netknights.it
> > +49 151 2960 1417
> >
> > NetKnights GmbH
> > http://www.netknights.it
> > Landgraf-Karl-Str. 19, 34131
Kassel,
> Germany
> > Tel: +49 561 3166797, Fax: +49 561
3166798
> >
> > Amtsgericht Kassel, HRB 16405
> > Geschäftsführer: Cornelius Kölbel
> >
> >
> >
> >
> >
> --
> Cornelius Kölbel
> corneliu...@netknights.it
> +49 151 2960 1417
>
> NetKnights GmbH
> http://www.netknights.it
> Landgraf-Karl-Str. 19, 34131 Kassel, Germany
> Tel: +49 561 3166797, Fax: +49 561 3166798
>
> Amtsgericht Kassel, HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
>
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two
factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL
AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and
LIABILITY:
>
https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the
Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails
from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> Visit this group at
https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/c8600053-9710-4c59-a52f-a0d8ab7413a0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
–
Please read the blog post about getting help
Getting help – privacyID3A.
For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0dadb7a0-8c8c-499d-9e03-a99fc6427277%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.