Add a second admin for use with a single realm

Hello!
I need to create a “sub-admin” with administrative power only for a
specific realm.

I’ve created two admin users with “pi-manage admin”.

pi-manage admin list

Name email
admin None
admin_b None

Admin is the standard/full administrator and admin_b is the administrator
for realm “b”.

These are the two policy created:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP,
enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable,
enrollU2F, manage_machine_tokens, getrandom, userlist, getserial,
radiusserver_write, system_documentation, caconnectordelete,
caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS,
smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES,
enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite,
losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms, deleteuser,
enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial,
disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b

Logging in with “admin” (via WEB) I can manage users/settings, but NOT:

  • Enroll a new token (the list of TOKEN type is NULL)
  • Edit the Policy (REPLY: Admin actions are defined, but the action
    policywrite is not allowed!)

Logging in with “admin_b” (always via WEB) the options are limited but:

admin_b can’t see users for realm “a”, but can create users for that realm
(“a”)!

Removing the two policy “admin” and “admin_b” can do everything.

Which is the best setting for create administrative account for use one
specific realm by API?

Thank you very much!—
Sim

Hello Cornelius,
currently I have a production server and a development server but both
installed with apt-get.
It is not urgent, but can I ask you if this is the correct way? I need a
"sub-administrator" for a specific realm to use ONLY with REST/API.
Otherwise I can create user in that local-realm, add a Policy scope: admin
with that user (as my example) and increase security with a Policy webui {
“login_mode”: “disable” }.
In this way I’ll block web access, but not REST/API functions.
With “pi-manage admin add” the user will be also able to connect to web
Right?

Thanks again—
Sim

On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

this seems due to the fact, that the realm of the admin is falsely used
as the user_realm when searching for the policies.
Your admin is in no realm, so a policy with an empty user realm is
search. But your policy contains correctly realmB.

-> Bug with mixing up admin realm and user realm.

If you are willing to pull the git repo, I will be able to provide a fix
shortly.

Kind regards
Cornelius

Am Montag, den 09.05.2016, 05:59 -0700 schrieb simv...@gmail.com
<javascript:>:

Hello!
I need to create a “sub-admin” with administrative power only for a
specific realm.

I’ve created two admin users with “pi-manage admin”.

pi-manage admin list

Name email
admin None
admin_b None

Admin is the standard/full administrator and admin_b is the
administrator for realm “b”.

These are the two policy created:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,
enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,
updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,
userlist, getserial, radiusserver_write, system_documentation,
caconnectordelete, caconnectorwrite, disable, mresolverdelete,
copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,
getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,
enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,
assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms,
deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,
userlist, getserial, disable, reset, getchallenges, losttoken, assign,
delete
realm = b
resolver = b-mysql
user = admin_b

Logging in with “admin” (via WEB) I can manage users/settings, but
NOT:

  • Enroll a new token (the list of TOKEN type is NULL)
  • Edit the Policy (REPLY: Admin actions are defined, but the action
    policywrite is not allowed!)

Logging in with “admin_b” (always via WEB) the options are limited
but:

admin_b can’t see users for realm “a”, but can create users for that
realm (“a”)!

Removing the two policy “admin” and “admin_b” can do everything.

Which is the best setting for create administrative account for use
one specific realm by API?

Thank you very much!


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi Sim,

this seems due to the fact, that the realm of the admin is falsely used
as the user_realm when searching for the policies.
Your admin is in no realm, so a policy with an empty user realm is
search. But your policy contains correctly realmB.

-> Bug with mixing up admin realm and user realm.

If you are willing to pull the git repo, I will be able to provide a fix
shortly.

Kind regards
CorneliusAm Montag, den 09.05.2016, 05:59 -0700 schrieb simvirus@gmail.com:

Hello!
I need to create a “sub-admin” with administrative power only for a
specific realm.

I’ve created two admin users with “pi-manage admin”.

pi-manage admin list

Name email
admin None
admin_b None

Admin is the standard/full administrator and admin_b is the
administrator for realm “b”.

These are the two policy created:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,
enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,
updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,
userlist, getserial, radiusserver_write, system_documentation,
caconnectordelete, caconnectorwrite, disable, mresolverdelete,
copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,
getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,
enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,
assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms,
deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,
userlist, getserial, disable, reset, getchallenges, losttoken, assign,
delete
realm = b
resolver = b-mysql
user = admin_b

Logging in with “admin” (via WEB) I can manage users/settings, but
NOT:

  • Enroll a new token (the list of TOKEN type is NULL)
  • Edit the Policy (REPLY: Admin actions are defined, but the action
    policywrite is not allowed!)

Logging in with “admin_b” (always via WEB) the options are limited
but:

admin_b can’t see users for realm “a”, but can create users for that
realm (“a”)!

Removing the two policy “admin” and “admin_b” can do everything.

Which is the best setting for create administrative account for use
one specific realm by API?

Thank you very much!


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello

I’ve patched manually this: /privacyidea/lib/policy.py
(https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)

The “Tokens -> Enroll token -> Enroll a new token” now work correctly,

but “Config -> Policies -> EDIT/CREATE” show me: “Admin actions are
defined, but the action policywrite is not allowed!”

I’m not sure if this is the same problem or not.

Thank you!—
Sim

On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

In theory this is right. See my latest email.
As far as the empty token type drop down is concerned, this is a UI bug.
So using the REST API should work.

Yes, login mode disable will not block API.
(Afaik)

Local admins can always login. Independent on the login mode.

Kind regards
Cornelius

Cornelius Kölbel
Corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: simv...@gmail.com <javascript:>
Datum: 09.05.2016 16:22 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Re: [privacyidea] Add a second admin for use with a single realm

Hello Cornelius,
currently I have a production server and a development server but both
installed with apt-get.
It is not urgent, but can I ask you if this is the correct way? I need a
"sub-administrator" for a specific realm to use ONLY with REST/API.
Otherwise I can create user in that local-realm, add a Policy scope: admin
with that user (as my example) and increase security with a Policy webui {
“login_mode”: “disable” }.
In this way I’ll block web access, but not REST/API functions.
With “pi-manage admin add” the user will be also able to connect to web
Right?

Thanks again


Sim

On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

this seems due to the fact, that the realm of the admin is falsely used
as the user_realm when searching for the policies.
Your admin is in no realm, so a policy with an empty user realm is
search. But your policy contains correctly realmB.

-> Bug with mixing up admin realm and user realm.

If you are willing to pull the git repo, I will be able to provide a fix
shortly.

Kind regards
Cornelius

Am Montag, den 09.05.2016, 05:59 -0700 schrieb simv...@gmail.com:

Hello!
I need to create a “sub-admin” with administrative power only for a
specific realm.

I’ve created two admin users with “pi-manage admin”.

pi-manage admin list

Name email
admin None
admin_b None

Admin is the standard/full administrator and admin_b is the
administrator for realm “b”.

These are the two policy created:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,
enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,
updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,
userlist, getserial, radiusserver_write, system_documentation,
caconnectordelete, caconnectorwrite, disable, mresolverdelete,
copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,
getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,
enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,
assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms,
deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,
userlist, getserial, disable, reset, getchallenges, losttoken, assign,
delete
realm = b
resolver = b-mysql
user = admin_b

Logging in with “admin” (via WEB) I can manage users/settings, but
NOT:

  • Enroll a new token (the list of TOKEN type is NULL)
  • Edit the Policy (REPLY: Admin actions are defined, but the action
    policywrite is not allowed!)

Logging in with “admin_b” (always via WEB) the options are limited
but:

admin_b can’t see users for realm “a”, but can create users for that
realm (“a”)!

Removing the two policy “admin” and “admin_b” can do everything.

Which is the best setting for create administrative account for use
one specific realm by API?

Thank you very much!


Sim


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e93fd56e-e647-4ad2-a7d3-06cfa5950b87%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/e93fd56e-e647-4ad2-a7d3-06cfa5950b87%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

Hi Sim,

sorry, I was not clear enough.

Yes, you configured these two policies.
But AFTER you configured and saved these policies, you obviously try to
write another policy and you get

“Admin actions are
defined, but the action policywrite is not allowed!”

So which administrator tries to write what policydata.
I need the administrator and the data of the third policy.

Kind regards
CorneliusAm Dienstag, den 10.05.2016, 02:28 -0700 schrieb simvirus@gmail.com:

Hello Cornelius,
the policy are as my first post:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,
enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,
updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,
userlist, getserial, radiusserver_write, system_documentation,
caconnectordelete, caconnectorwrite, disable, mresolverdelete,
copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,
getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,
enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,
assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms,
deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,
userlist, getserial, disable, reset, getchallenges, losttoken, assign,
delete
realm = b
resolver = b-mysql
user = admin_b

Administrator “admin” can’t edit/add/change anything.
For example I can’t add a new “generic” policy or edit the first
policy.

Thanks again


Sim

On Tuesday, May 10, 2016 at 10:25:56 AM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    the enrollment thing was a pure UI problem. 
    
    The error "Admin actions are defined, but the action
    policywrite is not 
    allowed!" is coming directly from the policy checking of the
    server. 
    
    I assume this is a side effect from the policy you are
    creating. 
    I further assume, you are creating a policy with a realm set
    and he is 
    mistaking this realm for the administrators realm. 
    
    Can you please provide the data of the policy, you are trying
    to set? 
    
    Thanks a lot 
    Cornelius 
    
    Am Dienstag, den 10.05.2016, 00:36 -0700 schrieb
    simv...@gmail.com: 
    > Hello 
    > 
    > I've patched manually this: /privacyidea/lib/policy.py 
    >
    (https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479) 
    > 
    > The "Tokens -> Enroll token -> Enroll a new token" now work
    correctly, 
    > 
    > but "Config -> Policies -> EDIT/CREATE" show me: "Admin
    actions are 
    > defined, but the action policywrite is not allowed!" 
    > 
    > I'm not sure if this is the same problem or not. 
    > 
    > Thank you! 
    > 
    > --- 
    > Sim 
    > 
    > 
    > On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel wrote: 
    >         Hi Sim, 
    >         
    >         
    >         In theory this is right. See my latest email. 
    >         As far as the empty token type drop down is
    concerned, this is 
    >         a UI bug. 
    >         So using the REST API should work. 
    >         
    >         
    >         Yes, login mode disable will not block API. 
    >         (Afaik) 
    >         
    >         
    >         Local admins can always login. Independent on the
    login mode. 
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: simv...@gmail.com 
    >         Datum: 09.05.2016 16:22 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Re: [privacyidea] Add a second admin for
    use with a 
    >         single realm 
    >         
    >         Hello Cornelius, 
    >         currently I have a production server and a
    development server 
    >         but both installed with apt-get. 
    >         It is not urgent, but can I ask you if this is the
    correct 
    >         way? I need a "sub-administrator" for a specific
    realm to use 
    >         ONLY with REST/API. 
    >         Otherwise I can create user in that local-realm, add
    a Policy 
    >         scope: admin with that user (as my example) and
    increase 
    >         security with a Policy webui { "login_mode":
    "disable" }. 
    >         In this way I'll block web access, but not REST/API
    functions. 
    >         With "pi-manage admin add" the user will be also
    able to 
    >         connect to web 
    >         Right? 
    >         
    >         Thanks again 
    >         
    >         --- 
    >         Sim 
    >         
    >         
    >         
    >         On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel  wrote: 
    >                 Hi Sim, 
    >                 
    >                 this seems due to the fact, that the realm
    of the 
    >                 admin is falsely used 
    >                 as the user_realm when searching for the
    policies. 
    >                 Your admin is in no realm, so a policy with
    an empty 
    >                 user realm is 
    >                 search. But your policy contains correctly
    realmB. 
    >                 
    >                 -> Bug with mixing up admin realm and user
    realm. 
    >                 
    >                 If you are willing to pull the git repo, I
    will be 
    >                 able to provide a fix 
    >                 shortly. 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 Am Montag, den 09.05.2016, 05:59 -0700 schrieb 
    >                 simv...@gmail.com: 
    >                 > Hello! 
    >                 > I need to create a "sub-admin" with
    administrative 
    >                 power only for a 
    >                 > specific realm. 
    >                 > 
    >                 > I've created two admin users with
    "pi-manage 
    >                 admin". 
    >                 > 
    >                 > # pi-manage admin list 
    >                 > _Name    email_ 
    >                 > admin    None 
    >                 > admin_b  None 
    >                 > 
    >                 > Admin is the standard/full administrator
    and admin_b 
    >                 is the 
    >                 > administrator for realm "b". 
    >                 > 
    >                 > These are the two policy created: 
    >                 > 
    >                 > Name = superuser 
    >                 > scope = admin 
    >                 > action = set, revoke, adduser, enrollSMS, 
    >                 policydelete, policywrite, 
    >                 > enrollTIQR, configdelete, machinelist,
    enrollREMOTE, 
    >                 setpin, resync, 
    >                 > unassign, tokenrealms, enrollSPASS,
    auditlog, 
    >                 enrollPAPER, deleteuser, 
    >                 > enrollEMAIL, resolverdelete, enrollMOTP,
    enrollPW, 
    >                 enrollHOTP, 
    >                 > enrollQUESTION, enrollCERTIFICATE,
    copytokenuser, 
    >                 configwrite, 
    >                 > enrollTOTP, enrollREGISTRATION,
    enrollYUBICO, 
    >                 resolverwrite, 
    >                 > updateuser, enable, enrollU2F, 
    >                 manage_machine_tokens, getrandom, 
    >                 > userlist, getserial, radiusserver_write, 
    >                 system_documentation, 
    >                 > caconnectordelete, caconnectorwrite,
    disable, 
    >                 mresolverdelete, 
    >                 > copytokenpin, enrollRADIUS,
    smtpserver_write, 
    >                 set_hsm_password, reset, 
    >                 > getchallenges, enroll4EYES,
    enrollYUBIKEY, 
    >                 fetch_authentication_items, 
    >                 > enrollDAPLUG, mresolverwrite, losttoken, 
    >                 enrollSSHKEY, importtokens, 
    >                 > assign, delete 
    >                 > realm = a, b 
    >                 > resolver = a-mysql, b-mysql 
    >                 > user = admin 
    >                 > 
    >                 > Name = admin_b 
    >                 > scope = admin 
    >                 > action = set, revoke, adduser, resync,
    unassign, 
    >                 tokenrealms, 
    >                 > deleteuser, enrollTOTP,
    enrollREGISTRATION, 
    >                 updateuser, enable, 
    >                 > userlist, getserial, disable, reset,
    getchallenges, 
    >                 losttoken, assign, 
    >                 > delete 
    >                 > realm = b 
    >                 > resolver = b-mysql 
    >                 > user = admin_b 
    >                 > 
    >                 > Logging in with "admin" (via WEB) I can
    manage 
    >                 users/settings, but 
    >                 > NOT: 
    >                 > 
    >                 > - Enroll a new token (the list of TOKEN
    type is 
    >                 NULL) 
    >                 > - Edit the Policy (REPLY: Admin actions
    are defined, 
    >                 but the action 
    >                 > policywrite is not allowed!) 
    >                 > 
    >                 > Logging in with "admin_b" (always via WEB)
    the 
    >                 options are limited 
    >                 > but: 
    >                 > 
    >                 > admin_b can't see users for realm "a", but
    can 
    >                 create users for that 
    >                 > realm ("a")! 
    >                 > 
    >                 > Removing the two policy "admin" and
    "admin_b" can do 
    >                 everything. 
    >                 > 
    >                 > Which is the best setting for create
    administrative 
    >                 account for use 
    >                 > one specific realm by API? 
    >                 > 
    >                 > Thank you very much! 
    >                 > 
    >                 > --- 
    >                 > Sim 
    >                 > 
    >                 > -- 
    >                 > Please read the blog post about getting
    help 
    >                 >
    https://www.privacyidea.org/getting-help/. 
    >                 >   
    >                 > For professional services and consultancy
    regarding 
    >                 two factor 
    >                 > authentication please visit 
    >                 > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >                 >   
    >                 > In an enterprise environment you should
    get a 
    >                 SERVICE LEVEL AGREEMENT 
    >                 > which suites your needs for SECURITY,
    AVAILABILITY 
    >                 and LIABILITY: 
    >                 > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >                 > --- 
    >                 > You received this message because you are
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop
    receiving 
    >                 emails from it, send 
    >                 > an email to
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > Visit this group at 
    >
    https://groups.google.com/group/privacyidea. 
    >                 > To view this discussion on the web visit 
    >                 > 
    >
    https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com. 
    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/c8600053-9710-4c59-a52f-a0d8ab7413a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Sim,

the enrollment thing was a pure UI problem.

The error “Admin actions are defined, but the action policywrite is not
allowed!” is coming directly from the policy checking of the server.

I assume this is a side effect from the policy you are creating.
I further assume, you are creating a policy with a realm set and he is
mistaking this realm for the administrators realm.

Can you please provide the data of the policy, you are trying to set?

Thanks a lot
CorneliusAm Dienstag, den 10.05.2016, 00:36 -0700 schrieb simvirus@gmail.com:

Hello

I’ve patched manually this: /privacyidea/lib/policy.py
(https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)

The “Tokens -> Enroll token -> Enroll a new token” now work correctly,

but “Config -> Policies -> EDIT/CREATE” show me: “Admin actions are
defined, but the action policywrite is not allowed!”

I’m not sure if this is the same problem or not.

Thank you!


Sim

On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    In theory this is right. See my latest email.
    As far as the empty token type drop down is concerned, this is
    a UI bug.
    So using the REST API should work. 
    
    
    Yes, login mode disable will not block API.
    (Afaik)
    
    
    Local admins can always login. Independent on the login mode.
    
    
    Kind regards
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel
    Corneliu...@netknights.it
    +49 151 2960 1417
    
    
    NetKnights GmbH
    http://netknights.it
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany
    Tel: +49 561 3166797, Fax: +49 561 3166798
    
    
    Amtsgericht Kassel, HRB 16405
    Geschäftsführer: Cornelius Kölbel
    
    
    -------- Ursprüngliche Nachricht --------
    Von: simv...@gmail.com 
    Datum: 09.05.2016 16:22 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Re: [privacyidea] Add a second admin for use with a
    single realm 
    
    Hello Cornelius,
    currently I have a production server and a development server
    but both installed with apt-get.
    It is not urgent, but can I ask you if this is the correct
    way? I need a "sub-administrator" for a specific realm to use
    ONLY with REST/API.
    Otherwise I can create user in that local-realm, add a Policy
    scope: admin with that user (as my example) and increase
    security with a Policy webui { "login_mode": "disable" }.
    In this way I'll block web access, but not REST/API functions.
    With "pi-manage admin add" the user will be also able to
    connect to web
    Right?
    
    Thanks again
    
    ---
    Sim
    
    
    
    On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel wrote:
            Hi Sim, 
            
            this seems due to the fact, that the realm of the
            admin is falsely used 
            as the user_realm when searching for the policies. 
            Your admin is in no realm, so a policy with an empty
            user realm is 
            search. But your policy contains correctly realmB. 
            
            -> Bug with mixing up admin realm and user realm. 
            
            If you are willing to pull the git repo, I will be
            able to provide a fix 
            shortly. 
            
            Kind regards 
            Cornelius 
            
            Am Montag, den 09.05.2016, 05:59 -0700 schrieb
            simv...@gmail.com: 
            > Hello! 
            > I need to create a "sub-admin" with administrative
            power only for a 
            > specific realm. 
            > 
            > I've created two admin users with "pi-manage
            admin". 
            > 
            > # pi-manage admin list 
            > _Name    email_ 
            > admin    None 
            > admin_b  None 
            > 
            > Admin is the standard/full administrator and admin_b
            is the 
            > administrator for realm "b". 
            > 
            > These are the two policy created: 
            > 
            > Name = superuser 
            > scope = admin 
            > action = set, revoke, adduser, enrollSMS,
            policydelete, policywrite, 
            > enrollTIQR, configdelete, machinelist, enrollREMOTE,
            setpin, resync, 
            > unassign, tokenrealms, enrollSPASS, auditlog,
            enrollPAPER, deleteuser, 
            > enrollEMAIL, resolverdelete, enrollMOTP, enrollPW,
            enrollHOTP, 
            > enrollQUESTION, enrollCERTIFICATE, copytokenuser,
            configwrite, 
            > enrollTOTP, enrollREGISTRATION, enrollYUBICO,
            resolverwrite, 
            > updateuser, enable, enrollU2F,
            manage_machine_tokens, getrandom, 
            > userlist, getserial, radiusserver_write,
            system_documentation, 
            > caconnectordelete, caconnectorwrite, disable,
            mresolverdelete, 
            > copytokenpin, enrollRADIUS, smtpserver_write,
            set_hsm_password, reset, 
            > getchallenges, enroll4EYES, enrollYUBIKEY,
            fetch_authentication_items, 
            > enrollDAPLUG, mresolverwrite, losttoken,
            enrollSSHKEY, importtokens, 
            > assign, delete 
            > realm = a, b 
            > resolver = a-mysql, b-mysql 
            > user = admin 
            > 
            > Name = admin_b 
            > scope = admin 
            > action = set, revoke, adduser, resync, unassign,
            tokenrealms, 
            > deleteuser, enrollTOTP, enrollREGISTRATION,
            updateuser, enable, 
            > userlist, getserial, disable, reset, getchallenges,
            losttoken, assign, 
            > delete 
            > realm = b 
            > resolver = b-mysql 
            > user = admin_b 
            > 
            > Logging in with "admin" (via WEB) I can manage
            users/settings, but 
            > NOT: 
            > 
            > - Enroll a new token (the list of TOKEN type is
            NULL) 
            > - Edit the Policy (REPLY: Admin actions are defined,
            but the action 
            > policywrite is not allowed!) 
            > 
            > Logging in with "admin_b" (always via WEB) the
            options are limited 
            > but: 
            > 
            > admin_b can't see users for realm "a", but can
            create users for that 
            > realm ("a")! 
            > 
            > Removing the two policy "admin" and "admin_b" can do
            everything. 
            > 
            > Which is the best setting for create administrative
            account for use 
            > one specific realm by API? 
            > 
            > Thank you very much! 
            > 
            > --- 
            > Sim 
            > 
            > -- 
            > Please read the blog post about getting help 
            > https://www.privacyidea.org/getting-help/. 
            >   
            > For professional services and consultancy regarding
            two factor 
            > authentication please visit 
            >
            https://netknights.it/en/leistungen/one-time-services/ 
            >   
            > In an enterprise environment you should get a
            SERVICE LEVEL AGREEMENT 
            > which suites your needs for SECURITY, AVAILABILITY
            and LIABILITY: 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            > --- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > Visit this group at
            https://groups.google.com/group/privacyidea. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Sim,

thanks. But I absolutely can not reproduce this.
Can you please turn on debug log
http://privacyidea.readthedocs.io/en/latest/installation/system/logging.html
and reproduce this?

(Unfortunately this code does not have much log outputs there, but we
will try).
Then send me the debug log and I will try to understand, what is
happening.

Kind regards
CorneliusAm Dienstag, den 10.05.2016, 05:13 -0700 schrieb simvirus@gmail.com:

Hello!
It’s not simple to describe…
The admin used to update/add in this example is always the
“first” (full admin).
For example editing superuser policy (the first) I receive that error.
Also creating a new policy (webui) with User-Realm and User-Resolver
selected (example “realm = a, b” + “resolver = a-mysql, b-mysql”) I
receive the error.
Instead creating a new policy (webui) without User-Realm and
User-Resolver I can add it.

Certainly there is some problem with policy and multiple admin/realm
context.

Let me know if you need other details and excuse me if my description
was not clear
Thank you!


Sim

On Tuesday, May 10, 2016 at 12:08:05 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    sorry, I was not clear enough. 
    
    Yes, you configured these two policies. 
    But AFTER you configured and saved these policies, you
    obviously try to 
    write another policy and you get 
    
    "Admin actions are 
    defined, but the action policywrite is not allowed!" 
    
    So which administrator tries to write what policydata. 
    I need the administrator and the data of the third policy. 
    
    Kind regards 
    Cornelius 
    
    Am Dienstag, den 10.05.2016, 02:28 -0700 schrieb
    simv...@gmail.com: 
    > Hello Cornelius, 
    > the policy are as my first post: 
    > 
    > Name = superuser 
    > scope = admin 
    > action = set, revoke, adduser, enrollSMS, policydelete,
    policywrite, 
    > enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin,
    resync, 
    > unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER,
    deleteuser, 
    > enrollEMAIL, resolverdelete, enrollMOTP, enrollPW,
    enrollHOTP, 
    > enrollQUESTION, enrollCERTIFICATE, copytokenuser,
    configwrite, 
    > enrollTOTP, enrollREGISTRATION, enrollYUBICO,
    resolverwrite, 
    > updateuser, enable, enrollU2F, manage_machine_tokens,
    getrandom, 
    > userlist, getserial, radiusserver_write,
    system_documentation, 
    > caconnectordelete, caconnectorwrite, disable,
    mresolverdelete, 
    > copytokenpin, enrollRADIUS, smtpserver_write,
    set_hsm_password, reset, 
    > getchallenges, enroll4EYES, enrollYUBIKEY,
    fetch_authentication_items, 
    > enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY,
    importtokens, 
    > assign, delete 
    > realm = a, b 
    > resolver = a-mysql, b-mysql 
    > user = admin 
    > 
    > Name = admin_b 
    > scope = admin 
    > action = set, revoke, adduser, resync, unassign,
    tokenrealms, 
    > deleteuser, enrollTOTP, enrollREGISTRATION, updateuser,
    enable, 
    > userlist, getserial, disable, reset, getchallenges,
    losttoken, assign, 
    > delete 
    > realm = b 
    > resolver = b-mysql 
    > user = admin_b 
    > 
    > 
    > Administrator "admin" can't edit/add/change anything. 
    > For example I can't add a new "generic" policy or edit the
    first 
    > policy. 
    > 
    > Thanks again 
    > 
    > --- 
    > Sim 
    > 
    > 
    > On Tuesday, May 10, 2016 at 10:25:56 AM UTC+2, Cornelius Kölbel wrote: 
    >         Hi Sim, 
    >         
    >         the enrollment thing was a pure UI problem. 
    >         
    >         The error "Admin actions are defined, but the
    action 
    >         policywrite is not 
    >         allowed!" is coming directly from the policy
    checking of the 
    >         server. 
    >         
    >         I assume this is a side effect from the policy you
    are 
    >         creating. 
    >         I further assume, you are creating a policy with a
    realm set 
    >         and he is 
    >         mistaking this realm for the administrators realm. 
    >         
    >         Can you please provide the data of the policy, you
    are trying 
    >         to set? 
    >         
    >         Thanks a lot 
    >         Cornelius 
    >         
    >         Am Dienstag, den 10.05.2016, 00:36 -0700 schrieb 
    >         simv...@gmail.com: 
    >         > Hello 
    >         > 
    >         > I've patched manually
    this: /privacyidea/lib/policy.py 
    >         > 
    >
    (https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479) 
    >         > 
    >         > The "Tokens -> Enroll token -> Enroll a new token"
    now work 
    >         correctly, 
    >         > 
    >         > but "Config -> Policies -> EDIT/CREATE" show me:
    "Admin 
    >         actions are 
    >         > defined, but the action policywrite is not
    allowed!" 
    >         > 
    >         > I'm not sure if this is the same problem or not. 
    >         > 
    >         > Thank you! 
    >         > 
    >         > --- 
    >         > Sim 
    >         > 
    >         > 
    >         > On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel  wrote: 
    >         >         Hi Sim, 
    >         >         
    >         >         
    >         >         In theory this is right. See my latest
    email. 
    >         >         As far as the empty token type drop down
    is 
    >         concerned, this is 
    >         >         a UI bug. 
    >         >         So using the REST API should work. 
    >         >         
    >         >         
    >         >         Yes, login mode disable will not block
    API. 
    >         >         (Afaik) 
    >         >         
    >         >         
    >         >         Local admins can always login. Independent
    on the 
    >         login mode. 
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         Corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: simv...@gmail.com 
    >         >         Datum: 09.05.2016 16:22 (GMT+01:00) 
    >         >         An: privacyidea
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: [privacyidea] Add a second
    admin for 
    >         use with a 
    >         >         single realm 
    >         >         
    >         >         Hello Cornelius, 
    >         >         currently I have a production server and
    a 
    >         development server 
    >         >         but both installed with apt-get. 
    >         >         It is not urgent, but can I ask you if
    this is the 
    >         correct 
    >         >         way? I need a "sub-administrator" for a
    specific 
    >         realm to use 
    >         >         ONLY with REST/API. 
    >         >         Otherwise I can create user in that
    local-realm, add 
    >         a Policy 
    >         >         scope: admin with that user (as my
    example) and 
    >         increase 
    >         >         security with a Policy webui
    { "login_mode": 
    >         "disable" }. 
    >         >         In this way I'll block web access, but not
    REST/API 
    >         functions. 
    >         >         With "pi-manage admin add" the user will
    be also 
    >         able to 
    >         >         connect to web 
    >         >         Right? 
    >         >         
    >         >         Thanks again 
    >         >         
    >         >         --- 
    >         >         Sim 
    >         >         
    >         >         
    >         >         
    >         >         On Monday, May 9, 2016 at 3:56:19 PM UTC +2,  Cornelius Kölbel  wrote: 
    >         >                 Hi Sim, 
    >         >                 
    >         >                 this seems due to the fact, that
    the realm 
    >         of the 
    >         >                 admin is falsely used 
    >         >                 as the user_realm when searching
    for the 
    >         policies. 
    >         >                 Your admin is in no realm, so a
    policy with 
    >         an empty 
    >         >                 user realm is 
    >         >                 search. But your policy contains
    correctly 
    >         realmB. 
    >         >                 
    >         >                 -> Bug with mixing up admin realm
    and user 
    >         realm. 
    >         >                 
    >         >                 If you are willing to pull the git
    repo, I 
    >         will be 
    >         >                 able to provide a fix 
    >         >                 shortly. 
    >         >                 
    >         >                 Kind regards 
    >         >                 Cornelius 
    >         >                 
    >         >                 Am Montag, den 09.05.2016, 05:59 0700  schrieb 
    >         >                 simv...@gmail.com: 
    >         >                 > Hello! 
    >         >                 > I need to create a "sub-admin"
    with 
    >         administrative 
    >         >                 power only for a 
    >         >                 > specific realm. 
    >         >                 > 
    >         >                 > I've created two admin users
    with 
    >         "pi-manage 
    >         >                 admin". 
    >         >                 > 
    >         >                 > # pi-manage admin list 
    >         >                 > _Name    email_ 
    >         >                 > admin    None 
    >         >                 > admin_b  None 
    >         >                 > 
    >         >                 > Admin is the standard/full
    administrator 
    >         and admin_b 
    >         >                 is the 
    >         >                 > administrator for realm "b". 
    >         >                 > 
    >         >                 > These are the two policy
    created: 
    >         >                 > 
    >         >                 > Name = superuser 
    >         >                 > scope = admin 
    >         >                 > action = set, revoke, adduser,
    enrollSMS, 
    >         >                 policydelete, policywrite, 
    >         >                 > enrollTIQR, configdelete,
    machinelist, 
    >         enrollREMOTE, 
    >         >                 setpin, resync, 
    >         >                 > unassign, tokenrealms,
    enrollSPASS, 
    >         auditlog, 
    >         >                 enrollPAPER, deleteuser, 
    >         >                 > enrollEMAIL, resolverdelete,
    enrollMOTP, 
    >         enrollPW, 
    >         >                 enrollHOTP, 
    >         >                 > enrollQUESTION,
    enrollCERTIFICATE, 
    >         copytokenuser, 
    >         >                 configwrite, 
    >         >                 > enrollTOTP, enrollREGISTRATION, 
    >         enrollYUBICO, 
    >         >                 resolverwrite, 
    >         >                 > updateuser, enable, enrollU2F, 
    >         >                 manage_machine_tokens, getrandom, 
    >         >                 > userlist, getserial,
    radiusserver_write, 
    >         >                 system_documentation, 
    >         >                 > caconnectordelete,
    caconnectorwrite, 
    >         disable, 
    >         >                 mresolverdelete, 
    >         >                 > copytokenpin, enrollRADIUS, 
    >         smtpserver_write, 
    >         >                 set_hsm_password, reset, 
    >         >                 > getchallenges, enroll4EYES, 
    >         enrollYUBIKEY, 
    >         >                 fetch_authentication_items, 
    >         >                 > enrollDAPLUG, mresolverwrite,
    losttoken, 
    >         >                 enrollSSHKEY, importtokens, 
    >         >                 > assign, delete 
    >         >                 > realm = a, b 
    >         >                 > resolver = a-mysql, b-mysql 
    >         >                 > user = admin 
    >         >                 > 
    >         >                 > Name = admin_b 
    >         >                 > scope = admin 
    >         >                 > action = set, revoke, adduser,
    resync, 
    >         unassign, 
    >         >                 tokenrealms, 
    >         >                 > deleteuser, enrollTOTP, 
    >         enrollREGISTRATION, 
    >         >                 updateuser, enable, 
    >         >                 > userlist, getserial, disable,
    reset, 
    >         getchallenges, 
    >         >                 losttoken, assign, 
    >         >                 > delete 
    >         >                 > realm = b 
    >         >                 > resolver = b-mysql 
    >         >                 > user = admin_b 
    >         >                 > 
    >         >                 > Logging in with "admin" (via
    WEB) I can 
    >         manage 
    >         >                 users/settings, but 
    >         >                 > NOT: 
    >         >                 > 
    >         >                 > - Enroll a new token (the list
    of TOKEN 
    >         type is 
    >         >                 NULL) 
    >         >                 > - Edit the Policy (REPLY: Admin
    actions 
    >         are defined, 
    >         >                 but the action 
    >         >                 > policywrite is not allowed!) 
    >         >                 > 
    >         >                 > Logging in with
    "admin_b" (always via WEB) 
    >         the 
    >         >                 options are limited 
    >         >                 > but: 
    >         >                 > 
    >         >                 > admin_b can't see users for
    realm "a", but 
    >         can 
    >         >                 create users for that 
    >         >                 > realm ("a")! 
    >         >                 > 
    >         >                 > Removing the two policy "admin"
    and 
    >         "admin_b" can do 
    >         >                 everything. 
    >         >                 > 
    >         >                 > Which is the best setting for
    create 
    >         administrative 
    >         >                 account for use 
    >         >                 > one specific realm by API? 
    >         >                 > 
    >         >                 > Thank you very much! 
    >         >                 > 
    >         >                 > --- 
    >         >                 > Sim 
    >         >                 > 
    >         >                 > -- 
    >         >                 > Please read the blog post about
    getting 
    >         help 
    >         >                 > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                 >   
    >         >                 > For professional services and
    consultancy 
    >         regarding 
    >         >                 two factor 
    >         >                 > authentication please visit 
    >         >                 > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                 >   
    >         >                 > In an enterprise environment you
    should 
    >         get a 
    >         >                 SERVICE LEVEL AGREEMENT 
    >         >                 > which suites your needs for
    SECURITY, 
    >         AVAILABILITY 
    >         >                 and LIABILITY: 
    >         >                 > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                 > --- 
    >         >                 > You received this message
    because you are 
    >         subscribed 
    >         >                 to the Google 
    >         >                 > Groups "privacyidea" group. 
    >         >                 > To unsubscribe from this group
    and stop 
    >         receiving 
    >         >                 emails from it, send 
    >         >                 > an email to 
    >         privacyidea...@googlegroups.com. 
    >         >                 > To post to this group, send
    email to 
    >         >                 priva...@googlegroups.com. 
    >         >                 > Visit this group at 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                 > To view this discussion on the
    web visit 
    >         >                 > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com. 
    >         >                 > For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                 
    >         >                 -- 
    >         >                 Cornelius Kölbel 
    >         >                 corneliu...@netknights.it 
    >         >                 +49 151 2960 1417 
    >         >                 
    >         >                 NetKnights GmbH 
    >         >                 http://www.netknights.it 
    >         >                 Landgraf-Karl-Str. 19, 34131
    Kassel, 
    >         Germany 
    >         >                 Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >                 
    >         >                 Amtsgericht Kassel, HRB 16405 
    >         >                 Geschäftsführer: Cornelius Kölbel 
    >         >                 
    >         >                 
    >         >         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/c8600053-9710-4c59-a52f-a0d8ab7413a0%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0dadb7a0-8c8c-499d-9e03-a99fc6427277%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,
the policy are as my first post:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP,
enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable,
enrollU2F, manage_machine_tokens, getrandom, userlist, getserial,
radiusserver_write, system_documentation, caconnectordelete,
caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS,
smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES,
enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite,
losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms, deleteuser,
enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial,
disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b

Administrator “admin” can’t edit/add/change anything.
For example I can’t add a new “generic” policy or edit the first policy.

Thanks again—
Sim

On Tuesday, May 10, 2016 at 10:25:56 AM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

the enrollment thing was a pure UI problem.

The error “Admin actions are defined, but the action policywrite is not
allowed!” is coming directly from the policy checking of the server.

I assume this is a side effect from the policy you are creating.
I further assume, you are creating a policy with a realm set and he is
mistaking this realm for the administrators realm.

Can you please provide the data of the policy, you are trying to set?

Thanks a lot
Cornelius

Am Dienstag, den 10.05.2016, 00:36 -0700 schrieb simv...@gmail.com
<javascript:>:

Hello

I’ve patched manually this: /privacyidea/lib/policy.py
(
https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)

The “Tokens -> Enroll token -> Enroll a new token” now work correctly,

but “Config -> Policies -> EDIT/CREATE” show me: “Admin actions are
defined, but the action policywrite is not allowed!”

I’m not sure if this is the same problem or not.

Thank you!


Sim

On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    In theory this is right. See my latest email. 
    As far as the empty token type drop down is concerned, this is 
    a UI bug. 
    So using the REST API should work. 
    
    
    Yes, login mode disable will not block API. 
    (Afaik) 
    
    
    Local admins can always login. Independent on the login mode. 
    
    
    Kind regards 
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel 
    Corneliu...@netknights.it 
    +49 151 2960 1417 
    
    
    NetKnights GmbH 
    http://netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 
    
    
    -------- Ursprüngliche Nachricht -------- 
    Von: simv...@gmail.com 
    Datum: 09.05.2016 16:22 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Re: [privacyidea] Add a second admin for use with a 
    single realm 
    
    Hello Cornelius, 
    currently I have a production server and a development server 
    but both installed with apt-get. 
    It is not urgent, but can I ask you if this is the correct 
    way? I need a "sub-administrator" for a specific realm to use 
    ONLY with REST/API. 
    Otherwise I can create user in that local-realm, add a Policy 
    scope: admin with that user (as my example) and increase 
    security with a Policy webui { "login_mode": "disable" }. 
    In this way I'll block web access, but not REST/API functions. 
    With "pi-manage admin add" the user will be also able to 
    connect to web 
    Right? 
    
    Thanks again 
    
    --- 
    Sim 
    
    
    
    On Monday, May 9, 2016 at 3:56:19 PM UTC+2, Cornelius Kölbel  wrote: 
            Hi Sim, 
            
            this seems due to the fact, that the realm of the 
            admin is falsely used 
            as the user_realm when searching for the policies. 
            Your admin is in no realm, so a policy with an empty 
            user realm is 
            search. But your policy contains correctly realmB. 
            
            -> Bug with mixing up admin realm and user realm. 
            
            If you are willing to pull the git repo, I will be 
            able to provide a fix 
            shortly. 
            
            Kind regards 
            Cornelius 
            
            Am Montag, den 09.05.2016, 05:59 -0700 schrieb 
            simv...@gmail.com: 
            > Hello! 
            > I need to create a "sub-admin" with administrative 
            power only for a 
            > specific realm. 
            > 
            > I've created two admin users with "pi-manage 
            admin". 
            > 
            > # pi-manage admin list 
            > _Name    email_ 
            > admin    None 
            > admin_b  None 
            > 
            > Admin is the standard/full administrator and admin_b 
            is the 
            > administrator for realm "b". 
            > 
            > These are the two policy created: 
            > 
            > Name = superuser 
            > scope = admin 
            > action = set, revoke, adduser, enrollSMS, 
            policydelete, policywrite, 
            > enrollTIQR, configdelete, machinelist, enrollREMOTE, 
            setpin, resync, 
            > unassign, tokenrealms, enrollSPASS, auditlog, 
            enrollPAPER, deleteuser, 
            > enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, 
            enrollHOTP, 
            > enrollQUESTION, enrollCERTIFICATE, copytokenuser, 
            configwrite, 
            > enrollTOTP, enrollREGISTRATION, enrollYUBICO, 
            resolverwrite, 
            > updateuser, enable, enrollU2F, 
            manage_machine_tokens, getrandom, 
            > userlist, getserial, radiusserver_write, 
            system_documentation, 
            > caconnectordelete, caconnectorwrite, disable, 
            mresolverdelete, 
            > copytokenpin, enrollRADIUS, smtpserver_write, 
            set_hsm_password, reset, 
            > getchallenges, enroll4EYES, enrollYUBIKEY, 
            fetch_authentication_items, 
            > enrollDAPLUG, mresolverwrite, losttoken, 
            enrollSSHKEY, importtokens, 
            > assign, delete 
            > realm = a, b 
            > resolver = a-mysql, b-mysql 
            > user = admin 
            > 
            > Name = admin_b 
            > scope = admin 
            > action = set, revoke, adduser, resync, unassign, 
            tokenrealms, 
            > deleteuser, enrollTOTP, enrollREGISTRATION, 
            updateuser, enable, 
            > userlist, getserial, disable, reset, getchallenges, 
            losttoken, assign, 
            > delete 
            > realm = b 
            > resolver = b-mysql 
            > user = admin_b 
            > 
            > Logging in with "admin" (via WEB) I can manage 
            users/settings, but 
            > NOT: 
            > 
            > - Enroll a new token (the list of TOKEN type is 
            NULL) 
            > - Edit the Policy (REPLY: Admin actions are defined, 
            but the action 
            > policywrite is not allowed!) 
            > 
            > Logging in with "admin_b" (always via WEB) the 
            options are limited 
            > but: 
            > 
            > admin_b can't see users for realm "a", but can 
            create users for that 
            > realm ("a")! 
            > 
            > Removing the two policy "admin" and "admin_b" can do 
            everything. 
            > 
            > Which is the best setting for create administrative 
            account for use 
            > one specific realm by API? 
            > 
            > Thank you very much! 
            > 
            > --- 
            > Sim 
            > 
            > -- 
            > Please read the blog post about getting help 
            > https://www.privacyidea.org/getting-help/. 
            >   
            > For professional services and consultancy regarding 
            two factor 
            > authentication please visit 
            > 
            https://netknights.it/en/leistungen/one-time-services/ 
            >   
            > In an enterprise environment you should get a 
            SERVICE LEVEL AGREEMENT 
            > which suites your needs for SECURITY, AVAILABILITY 
            and LIABILITY: 
            > 

https://netknights.it/en/leistungen/service-level-agreements/

            > --- 
            > You received this message because you are subscribed 
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving 
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to 
            priva...@googlegroups.com. 
            > Visit this group at 
            https://groups.google.com/group/privacyidea. 
            > To view this discussion on the web visit 
            > 

https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.

            > For more options, visit 
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello!
It’s not simple to describe…
The admin used to update/add in this example is always the “first” (full
admin).
For example editing superuser policy (the first) I receive that error.
Also creating a new policy (webui) with User-Realm and User-Resolver
selected (example “realm = a, b” + “resolver = a-mysql, b-mysql”) I receive
the error.
Instead creating a new policy (webui) without User-Realm and User-Resolver
I can add it.

Certainly there is some problem with policy and multiple admin/realm context
.

Let me know if you need other details and excuse me if my description was not
clear
Thank you!—
Sim

On Tuesday, May 10, 2016 at 12:08:05 PM UTC+2, Cornelius Kölbel wrote:

Hi Sim,

sorry, I was not clear enough.

Yes, you configured these two policies.
But AFTER you configured and saved these policies, you obviously try to
write another policy and you get

“Admin actions are
defined, but the action policywrite is not allowed!”

So which administrator tries to write what policydata.
I need the administrator and the data of the third policy.

Kind regards
Cornelius

Am Dienstag, den 10.05.2016, 02:28 -0700 schrieb simv...@gmail.com
<javascript:>:

Hello Cornelius,
the policy are as my first post:

Name = superuser
scope = admin
action = set, revoke, adduser, enrollSMS, policydelete, policywrite,
enrollTIQR, configdelete, machinelist, enrollREMOTE, setpin, resync,
unassign, tokenrealms, enrollSPASS, auditlog, enrollPAPER, deleteuser,
enrollEMAIL, resolverdelete, enrollMOTP, enrollPW, enrollHOTP,
enrollQUESTION, enrollCERTIFICATE, copytokenuser, configwrite,
enrollTOTP, enrollREGISTRATION, enrollYUBICO, resolverwrite,
updateuser, enable, enrollU2F, manage_machine_tokens, getrandom,
userlist, getserial, radiusserver_write, system_documentation,
caconnectordelete, caconnectorwrite, disable, mresolverdelete,
copytokenpin, enrollRADIUS, smtpserver_write, set_hsm_password, reset,
getchallenges, enroll4EYES, enrollYUBIKEY, fetch_authentication_items,
enrollDAPLUG, mresolverwrite, losttoken, enrollSSHKEY, importtokens,
assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin

Name = admin_b
scope = admin
action = set, revoke, adduser, resync, unassign, tokenrealms,
deleteuser, enrollTOTP, enrollREGISTRATION, updateuser, enable,
userlist, getserial, disable, reset, getchallenges, losttoken, assign,
delete
realm = b
resolver = b-mysql
user = admin_b

Administrator “admin” can’t edit/add/change anything.
For example I can’t add a new “generic” policy or edit the first
policy.

Thanks again


Sim

On Tuesday, May 10, 2016 at 10:25:56 AM UTC+2, Cornelius Kölbel wrote:
Hi Sim,

    the enrollment thing was a pure UI problem. 
    
    The error "Admin actions are defined, but the action 
    policywrite is not 
    allowed!" is coming directly from the policy checking of the 
    server. 
    
    I assume this is a side effect from the policy you are 
    creating. 
    I further assume, you are creating a policy with a realm set 
    and he is 
    mistaking this realm for the administrators realm. 
    
    Can you please provide the data of the policy, you are trying 
    to set? 
    
    Thanks a lot 
    Cornelius 
    
    Am Dienstag, den 10.05.2016, 00:36 -0700 schrieb 
    simv...@gmail.com: 
    > Hello 
    > 
    > I've patched manually this: /privacyidea/lib/policy.py 
    > 
    (

https://github.com/privacyidea/privacyidea/commit/9a2aced836f8b70c9a2fb0581f195cfe71763479)

    > 
    > The "Tokens -> Enroll token -> Enroll a new token" now work 
    correctly, 
    > 
    > but "Config -> Policies -> EDIT/CREATE" show me: "Admin 
    actions are 
    > defined, but the action policywrite is not allowed!" 
    > 
    > I'm not sure if this is the same problem or not. 
    > 
    > Thank you! 
    > 
    > --- 
    > Sim 
    > 
    > 
    > On Monday, May 9, 2016 at 4:31:41 PM UTC+2, Cornelius Kölbel  wrote: 
    >         Hi Sim, 
    >         
    >         
    >         In theory this is right. See my latest email. 
    >         As far as the empty token type drop down is 
    concerned, this is 
    >         a UI bug. 
    >         So using the REST API should work. 
    >         
    >         
    >         Yes, login mode disable will not block API. 
    >         (Afaik) 
    >         
    >         
    >         Local admins can always login. Independent on the 
    login mode. 
    >         
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         
    >         
    >         
    >         
    >         
    >         Cornelius Kölbel 
    >         Corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         
    >         NetKnights GmbH 
    >         http://netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    >         -------- Ursprüngliche Nachricht -------- 
    >         Von: simv...@gmail.com 
    >         Datum: 09.05.2016 16:22 (GMT+01:00) 
    >         An: privacyidea <priva...@googlegroups.com> 
    >         Betreff: Re: [privacyidea] Add a second admin for 
    use with a 
    >         single realm 
    >         
    >         Hello Cornelius, 
    >         currently I have a production server and a 
    development server 
    >         but both installed with apt-get. 
    >         It is not urgent, but can I ask you if this is the 
    correct 
    >         way? I need a "sub-administrator" for a specific 
    realm to use 
    >         ONLY with REST/API. 
    >         Otherwise I can create user in that local-realm, add 
    a Policy 
    >         scope: admin with that user (as my example) and 
    increase 
    >         security with a Policy webui { "login_mode": 
    "disable" }. 
    >         In this way I'll block web access, but not REST/API 
    functions. 
    >         With "pi-manage admin add" the user will be also 
    able to 
    >         connect to web 
    >         Right? 
    >         
    >         Thanks again 
    >         
    >         --- 
    >         Sim 
    >         
    >         
    >         
    >         On Monday, May 9, 2016 at 3:56:19 PM UTC+2,  Cornelius Kölbel  wrote: 
    >                 Hi Sim, 
    >                 
    >                 this seems due to the fact, that the realm 
    of the 
    >                 admin is falsely used 
    >                 as the user_realm when searching for the 
    policies. 
    >                 Your admin is in no realm, so a policy with 
    an empty 
    >                 user realm is 
    >                 search. But your policy contains correctly 
    realmB. 
    >                 
    >                 -> Bug with mixing up admin realm and user 
    realm. 
    >                 
    >                 If you are willing to pull the git repo, I 
    will be 
    >                 able to provide a fix 
    >                 shortly. 
    >                 
    >                 Kind regards 
    >                 Cornelius 
    >                 
    >                 Am Montag, den 09.05.2016, 05:59 -0700  schrieb 
    >                 simv...@gmail.com: 
    >                 > Hello! 
    >                 > I need to create a "sub-admin" with 
    administrative 
    >                 power only for a 
    >                 > specific realm. 
    >                 > 
    >                 > I've created two admin users with 
    "pi-manage 
    >                 admin". 
    >                 > 
    >                 > # pi-manage admin list 
    >                 > _Name    email_ 
    >                 > admin    None 
    >                 > admin_b  None 
    >                 > 
    >                 > Admin is the standard/full administrator 
    and admin_b 
    >                 is the 
    >                 > administrator for realm "b". 
    >                 > 
    >                 > These are the two policy created: 
    >                 > 
    >                 > Name = superuser 
    >                 > scope = admin 
    >                 > action = set, revoke, adduser, enrollSMS, 
    >                 policydelete, policywrite, 
    >                 > enrollTIQR, configdelete, machinelist, 
    enrollREMOTE, 
    >                 setpin, resync, 
    >                 > unassign, tokenrealms, enrollSPASS, 
    auditlog, 
    >                 enrollPAPER, deleteuser, 
    >                 > enrollEMAIL, resolverdelete, enrollMOTP, 
    enrollPW, 
    >                 enrollHOTP, 
    >                 > enrollQUESTION, enrollCERTIFICATE, 
    copytokenuser, 
    >                 configwrite, 
    >                 > enrollTOTP, enrollREGISTRATION, 
    enrollYUBICO, 
    >                 resolverwrite, 
    >                 > updateuser, enable, enrollU2F, 
    >                 manage_machine_tokens, getrandom, 
    >                 > userlist, getserial, radiusserver_write, 
    >                 system_documentation, 
    >                 > caconnectordelete, caconnectorwrite, 
    disable, 
    >                 mresolverdelete, 
    >                 > copytokenpin, enrollRADIUS, 
    smtpserver_write, 
    >                 set_hsm_password, reset, 
    >                 > getchallenges, enroll4EYES, 
    enrollYUBIKEY, 
    >                 fetch_authentication_items, 
    >                 > enrollDAPLUG, mresolverwrite, losttoken, 
    >                 enrollSSHKEY, importtokens, 
    >                 > assign, delete 
    >                 > realm = a, b 
    >                 > resolver = a-mysql, b-mysql 
    >                 > user = admin 
    >                 > 
    >                 > Name = admin_b 
    >                 > scope = admin 
    >                 > action = set, revoke, adduser, resync, 
    unassign, 
    >                 tokenrealms, 
    >                 > deleteuser, enrollTOTP, 
    enrollREGISTRATION, 
    >                 updateuser, enable, 
    >                 > userlist, getserial, disable, reset, 
    getchallenges, 
    >                 losttoken, assign, 
    >                 > delete 
    >                 > realm = b 
    >                 > resolver = b-mysql 
    >                 > user = admin_b 
    >                 > 
    >                 > Logging in with "admin" (via WEB) I can 
    manage 
    >                 users/settings, but 
    >                 > NOT: 
    >                 > 
    >                 > - Enroll a new token (the list of TOKEN 
    type is 
    >                 NULL) 
    >                 > - Edit the Policy (REPLY: Admin actions 
    are defined, 
    >                 but the action 
    >                 > policywrite is not allowed!) 
    >                 > 
    >                 > Logging in with "admin_b" (always via WEB) 
    the 
    >                 options are limited 
    >                 > but: 
    >                 > 
    >                 > admin_b can't see users for realm "a", but 
    can 
    >                 create users for that 
    >                 > realm ("a")! 
    >                 > 
    >                 > Removing the two policy "admin" and 
    "admin_b" can do 
    >                 everything. 
    >                 > 
    >                 > Which is the best setting for create 
    administrative 
    >                 account for use 
    >                 > one specific realm by API? 
    >                 > 
    >                 > Thank you very much! 
    >                 > 
    >                 > --- 
    >                 > Sim 
    >                 > 
    >                 > -- 
    >                 > Please read the blog post about getting 
    help 
    >                 > 
    https://www.privacyidea.org/getting-help/. 
    >                 >   
    >                 > For professional services and consultancy 
    regarding 
    >                 two factor 
    >                 > authentication please visit 
    >                 > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >                 >   
    >                 > In an enterprise environment you should 
    get a 
    >                 SERVICE LEVEL AGREEMENT 
    >                 > which suites your needs for SECURITY, 
    AVAILABILITY 
    >                 and LIABILITY: 
    >                 > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >                 > --- 
    >                 > You received this message because you are 
    subscribed 
    >                 to the Google 
    >                 > Groups "privacyidea" group. 
    >                 > To unsubscribe from this group and stop 
    receiving 
    >                 emails from it, send 
    >                 > an email to 
    privacyidea...@googlegroups.com. 
    >                 > To post to this group, send email to 
    >                 priva...@googlegroups.com. 
    >                 > Visit this group at 
    > 
    https://groups.google.com/group/privacyidea. 
    >                 > To view this discussion on the web visit 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/978d3304-47b0-42ee-b5d7-9488f60f6188%40googlegroups.com.

    >                 > For more options, visit 
    >                 https://groups.google.com/d/optout. 
    >                 
    >                 -- 
    >                 Cornelius Kölbel 
    >                 corneliu...@netknights.it 
    >                 +49 151 2960 1417 
    >                 
    >                 NetKnights GmbH 
    >                 http://www.netknights.it 
    >                 Landgraf-Karl-Str. 19, 34131 Kassel, 
    Germany 
    >                 Tel: +49 561 3166797, Fax: +49 561 3166798 
    >                 
    >                 Amtsgericht Kassel, HRB 16405 
    >                 Geschäftsführer: Cornelius Kölbel 
    >                 
    >                 
    >         
    > 
    > 
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/c8600053-9710-4c59-a52f-a0d8ab7413a0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel