Is it possible to edit a list of available token types? For example, leave just one that will be used.
Hello @Orest_Gulman
and welcome to the privacyIDEA community. I hope you will like what you get and give back by sharing your experiences.
You can define user policies and admin policies to do so.
https://privacyidea.readthedocs.io/en/latest/policies/user.html#enroll
But take care, before defining admin policies be sure to read as much as possible about policies, since you could also lock you out. But it is safe to define e.g. a user policy with enrollHOTP thus allowing normal users to only enroll HOTP tokens.
Hi @cornelinux.
Thanks for explanation!
It’s great that it’s possible manage users permission in such way. In case of admin user I suppose to create policy and allow everything except other token types to get only one type of token in the list. Is there other way to edit those list in general, probably in some configuration file?
Thanks in advance!
No. You define it using a policy.
This way you can define it differently for different users/admins or for different times or IP addresses or whatever.
What are you trying to accomplish? As Cornelinux has said, policies are the best way to go about managing access rights for both regular users and different tiers of administrators. Policies are kinda tricky in how the different settings interact, so you definitely want to read the documentation carefully. Also, if/when you screw up and lock yourself out, use the pi-manage script on the server to disable the offending policy and try again.
hi @wwalker.
Managing token type access right it’s surely great functionality and I’m sure that it’s very useful. But I’m not looking for a way to manage access right for token types. I’m clearly understanding what are you mention, but I’m looking into some way to set one type of token in general. From my point of view, it should be some kind of settings (not policy) where admins can easily specify one type on the token in common (UI or config file).
In my project, I will use only one type of token for all users. To accomplish this, I need to create 2-two additional policies where I need to specify all existing permissions except another token types. Yes, it works! but it creates additional inconvenience such us:
- Troubleshooting. If something isn’t working as expected, additional policies need to be verified.
- Update/Upgrade. It’s possible that after updating an application the new permission can be added which can cause an error.
- Automated installation/setup. It makes it more complex.
For that reason, I’ve created one line policy which only changes the default type of token.
pi-manage policy create default_token webui default_tokentype=totp
I guess I’m not quite understanding what you are trying to do, it sounds like you accomplished your goal using a policy. The command line equivalent setting is in the webGUI as well under misc., in the scope WebUI.
If your issue is that its a behavior that is modified using a policy instead of just, for example, a drop-down under System Settings, I think you’re splitting hairs. If you are concerned about policy interactions and troubleshooting, set its priority to be a larger number than any other policies. This will ensure all other policies take precedence.
However, if you want to ensure that a user does not see this:
and the user sees this:
You’ll have to setup a few policies and additional realms. You’ll need two realms, an admin realm and a user realm. You’ll then setup an administrator policy that grants all rights you want your admins to have, and then in the user policy enable only the token type you want the users to use.
If I’m way off on all this and wasting everyone’s time…sorry.
1 Like