Different admin for specific Tokens on same realm


We have different firewalls which are connected to PI.
This works great. All Firewall are using the same Realm and the realm has one resolver for each department.

No we want to give the department an own admin account.
I was able to create that with policies.
But the problem is, that this admin sees all tokens from the realm.

Is there a solution for an additional filter or something?

Ok I found another solution.

I created a Realm for each department with an own Resolver for it.
Then I modified the /etc/freeradius/3.0/sites-enabled/privacyidea:

server {
    authorize {
        if(Packet-Src-IP-Address == 10.xxx ) {
            update request{
                Realm := "vpn-department1"

So each department will then put in his REALM according to the IP of the firewall which makes the request

1 Like

If you really want to give rights on certain users and tokens to certain admins, you should use realm admins. Only in this case you can realiable segregate controll of tokens.

E.g. you can assign a token to a realm, without having the token assigned to a user. The sense in that is, that such a realm admin can also have controll over a certain bunch of unassigned hardware tokens, but not over all unassigned hardware tokens in the system.

So your approach with the radius settings is a perfect way to go. Alternatively you could have configured this similar in privacyIDEA by setting a realm via policy based on the client IP.
But I like your RADIUS solution even better.