Admin Policy's not working

Hi there,

I cant seem to wrap my head around this.

I make a simple admin policy using the template helpdesk and fill in the
field ‘Admin’ the local user helpdesk i created but then i am also locked
out with my default ‘admin’ account.

I read the docs multiple times but i dont understand how does is supposed
to work.

Version: 2.13-1trusty
Ubuntu 14.04.3
Mysql Database

Correct.
As soon as you define a policy in scope “admin” (or scope “user”)
all admins are checked for policies.
Thus, if the original “superadmin” would not be located in
helpdesk-admin-policy, the superadmin will end up with no rights.

The best practice is to always start with a superadmin.

Thanks for reporting back.

Kind regards
CorneliusAm Montag, den 01.08.2016, 01:55 -0700 schrieb jmdeking:

My fault, i have to define 2 policy’s, 1 for the admin and 1 for the
helpdesk else by default you have no rights for the account that is
undefined.

Solved :slight_smile:

On Wednesday, July 27, 2016 at 1:41:58 PM UTC+2, jmdeking wrote:
Hi there,

    I cant seem to wrap my head around this.
    
    
    I make a simple admin policy using the template helpdesk and
    fill in the field 'Admin' the local user helpdesk i created
    but then i am also locked out with my default 'admin' account.
    
    
    I read the docs multiple times but i dont understand how does
    is supposed to work.
    
    
    Version: 2.13-1trusty
    Ubuntu 14.04.3
    Mysql Database


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/c69c7e99-07c9-48dd-b5fd-22509dffc71a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH


Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

My fault, i have to define 2 policy’s, 1 for the admin and 1 for the
helpdesk else by default you have no rights for the account that is
undefined.

Solved :)On Wednesday, July 27, 2016 at 1:41:58 PM UTC+2, jmdeking wrote:

Hi there,

I cant seem to wrap my head around this.

I make a simple admin policy using the template helpdesk and fill in the
field ‘Admin’ the local user helpdesk i created but then i am also locked
out with my default ‘admin’ account.

I read the docs multiple times but i dont understand how does is supposed
to work.

Version: 2.13-1trusty
Ubuntu 14.04.3
Mysql Database

Hi ,

I have done a similar thing - made trying to make an admin policy for a subset of admins and now my local admins dont have the correct rights to admin the system.

I thought if I removed or renamed the

SUPERUSER_REALM = [‘blah’, ‘super1’]
in /etc/privacyidea/pi.cfg

but I dont seem to regain access.

How can I revert it to not have admin policies and be like a fresh install with local admins ?

Please help - I messed up :slight_smile:
Thanks in advance

Ok I figured it out

I disabled the policy via
pi-manage script …

Love this product!!!

1 Like

Hello @dfine
Thank you for joining the privacyIDEA community.
And thank a lot for the feedback.

This is right. Configuring admin policies can lock you out, but you can use the tool

pi-manage policy list 

and

pi-manage policy disable ... 

to revert and fix the policies.