Custom attributes in admin policy

Question
1

Hi all,

is it possible to use “custom attributes” in admin policies “Additional conditions”?

We’re using a LDAP resolver to restrict admin access to PI but don’t want to leave full control of the admin users to the AD administrators.

Example:

  • Configure custom attribute: “administrator” value: “true, false”
  • add the custom attribute “administrator: true” to the admin user out of the AD group
  • configure a “admin” policy and trigger on the “custom attribute” to allow access to PI

Any sugestions are highly appreciated

Grüße
–Guido

2

Yes, this is possible. Custom attributes are an overlay of the userinfo and thus is also used in the extended policy condition. Cool, right!? :wink:

However, please note, that with the extended policy conditions I think the key from the condition has to exist. If it does not exist, privacyIDEA will raise an error, since it can not determine with certainty if the policy should apply or not.

  • Make sure that all users that would touch this policy have this key set.
  • Make sure to not add to many actions in a policy with extended policy conditions.

(otherwise you will get the above mentioned exception/error)

3

Sounds good, indeed…

As a test I

  • used the attibute initials of AD users
  • added set_custom_user_attributes :initials: true false in the global admin policy
  • overwrote the attribute initials to true of the admin user by setting Custom attributes
  • configured an admins policy with Additional conditions userinfo initials equals true

Result:
Policy ‘ADM__L1_EU’ has condition on userinfo, but an according object is not available.

Question:
is not available, must the AD attribute initials also be configured in the resolver to be visible in the users details page?

BTW: is there a way to delete Custom attributes once set?

–Guido

4

No it does not.

But it looks like you do not have a userobject in your request. Note: The userobject is the user on whom it is acted on, not the administrator who is acting in this case!

5

Hi there,
Did you manage to overcome the following message? I’m having the same problem in the Policy Extended Conditions.

Regards