Creating/"managing" users for "small setups with the SQL resolver". pi-mange, or UI only?


@cornelinux states

However, creating/“managing” users started for small setups with the SQL resolver.

Reading at,

Managing Users in privacyIDEA

setup of the resolver & realm is trivial,

Setting it up

there is an even easier way to do so, using the command line tool resolver create_internal myfirstresolver realm create myrealm myfirstresolver

Done. You ended up with an editable resolver and a realm called “myrealm”.

You can add, update and delete users in this realm (in fact in the resolver).


pi-manage resolver create_internal  --help

	usage: Create new resolver create_internal [-?] name

	This creates a new internal, editable sqlresolver. The users will be stored in
	the token database in a table called 'users_<name>'. You can then add this
	resolver to a new real using the command ' realm'.

creates/populates the user table in, in my case, the pi.cfg-specified sqlite3 store,

sqlite3 /etc/privacyidea/data.sqlite
	SQLite version 3.29.0 2019-07-10 17:32:03
	Enter ".help" for usage hints.
sqlite> .tables users_myfirstresolver
sqlite> .schema users_myfirstresolver
	CREATE TABLE users_myfirstresolver (
	        id INTEGER NOT NULL,
	        username VARCHAR(40),
	        email VARCHAR(80),
	        password VARCHAR(255),
	        phone VARCHAR(40),
	        mobile VARCHAR(40),
	        surname VARCHAR(40),
	        givenname VARCHAR(40),
	        description VARCHAR(255),
	        PRIMARY KEY (id),
	        UNIQUE (username)

I do not see in pi-manage any methods any for ‘creating/“managing” users’.

It’s simple enough to add users directly to the db … and, of course, via the WebUI. or, move it back to external db.

But, since the ‘internal’ resolver/realm creation are using pi-manage, are there also cmd-line pi-* tools for doing that? Even in/for ‘small setups’?

Are only the resolver & realm pi-manage-able? Not the users themselves?

Let me clarify some things here:

privacyIDEA is an authentication server that answers authentication requests via TCP connection. The choice was made to use HTTP about 10 years ago.
In a real world setup the token administrator has no local account on the machine. So tokens are also managed via the REST API.
And thus all administrative tasks like managing tokens, managing users, creating resolvers and realms, creating policies… are reflected in the REST API. This is a design decision, most of the people love it, some do not love it, some do not understand it. That is fine. There are alternatives for doing 2FA like the Google Authenticator PAM module, multiOTP, Yubico Cloud server, RSA SecurID…

The tool pi-manage does not use the REST API and is not ment for managing tasks in the above mentioned sense. pi-manage is originially a meta management tool for creating the database, updating the database schema, creating the first administrator in the database (since we do not ship any default admin or default password)
Later in time some sensible further functionalities were added. But it was never intended to reflect the full blown functionality for a token administrator and it will never.

However, privacyidea is open source and of course you are welcome to issue any pull request at our github repository.

Please be aware, that for our processes it makes sense to have an issue to refer the pull request to.

Finally, you referenced a lot of links to posts and comments. Posts and comments are snapshots of a tiny point in time and are aging as we speak. Maybe you should start reading at
Thank you.

PS: Short answer: No, you can not manage users with pi-manage.