So I’m trying to get set up to set random PINs but I’m getting an error about needing an otp_pin_set_random policy. Fair enough, except I go to make one and I’m getting another error, “Admin actions are defined, but the action policywrite is not allowed!”. This one I don’t understand. I’m logged in as superuser, so it shouldn’t be a problem, right?
What do you think makes your “superuser” a superuser?
Obviously not the policies you have defined! 
Policies are checked for all admins, also your “superuser”. So it looks like as if this one is mightless.
See here 16.13. Policies — privacyIDEA 3.5 documentation
and read this 7.1. Admin policies — privacyIDEA 3.5 documentation
Ok I’m confused. I’m logged into the default root user, doesn’t that start off as a superuser?
And I’m not going to be able to fix this now anyway, something else weird broke…the entire menu bar at the top is blank, even after a system restart. Multiple browsers, so it’s not a caching thing. I can’t wait until I can get this project approved so I can actually pay for some support. 
There is no default root user.
Policies are evaluated for all users. Also for your “normal root user”. And it looks like as if you locked yourself out, since you did not define any policy for your “normal root user”. And thus this user has…
…no (or at least limited) rights.
You can fix this at the command line.
Take a look at your policies:
pi-manage policy list
Then disable the admin policies you have created.
pi-manage policy disable <policyname>
Then you should start by create a policy for your “normal root user”, which really gives him all rights.
" Then you should start by create a policy for your “normal root user”, which really gives him all rights."
Ok and how does one do that? This is not striking me as intuitive here. And now any policy I create is breaking the UX.
Use the button “policy templates”.
Or check each (every) right the first superuser should get.