Create policy for one admin user

I need to let the admin user (test) to Create registration tokens only, what is the policy should i setup to do this role for user test?

Start with reading into policies:
in general and then take special care when setting up your admin policies.
7.1. Admin policies — privacyIDEA 3.10dev1 documentation !

Hi, I tried to create a new policy to admin (to create a registration code only), and the policy as the below:

and when i login with admin again, i can’t do any thing as the below screen:

i don’t understand what is the wrong? @cornelinux

Read this carefully again

With creating your first admin policies, all admins are checked for policies.
Your admin has to few rights.

You might consider using the policy template button in the webui.

I have two admin users ( test, admin) i need to give full permission to admin user (admin) and give permission for create registration token only, to admin user ( test), so how can do it this? i read the document but i not found how can specify admin user and apply the action only on this admin user that specified.
Thanks a lot!

You created a policy “admin-policy” for your “admin” user. But which actions did you choose in this policy?

It looks like you did not define sufficient (all) actions.
In the docs
you see 83 actions!

This is my policy:

i just to need to understand how can I select what is the admin user can this policy apply on it only, or in other word where can i put the admin user that i need this policy to apply on it only?

Use the condition fields “admin-realm” and “admin” to determine, for which administrators the policy should apply.

I test this now as the below:

in condition i put admin user (test) and admin-realm (administrtors)

and set the action for the (test) as belwo:

but, when i logout and login again with admin user (admin) or with admin user (test) I can’t do anything:

what is the condition should i set to can apply this policy for admin user(test) only, and keep admin user (admin) with full permissions.

Your admin user “test” is most probably not in the admin realm “administrators”!


You most probably need to leave the admin realm empty.