How to create admin policies

Hi!

Slowly moving forward… Still planning to use the SimpleSAMLphp + PrivacyIDEA setup for a POC, introducing Yubikeys and Google Authenticator. Things work as they are, Yubikey in U2F mode and Google Authenticator (or any authenticator, really) in TOTP mode.
What confuses me at this point is the policy management. The setup is straightforward, I believe: Al users are in a LDAP usersource connected to pi as a LDAP resolver. Now I want 2 or 3 of these users to be “local admins”, i.e. be the only ones who can enroll and distribute tokens. But that is the only thing they should be able to do, and only TOTP and U2F tokens. So I create a second LDAP resolver connected to the same user source, but now filtering out only the very few persons who will act as local admins. Next I create a realm Local_admins and connect that to the new resolver.
Now my plan was to create a policy from the helpdesk template, which seems to have suitable powers (and remove the token types that should not be used). However, when I try this I get a message “Admin actions are defined, but the action policywrite is not allowed!” and I can’t save the policy. I somehow managed once or twice but then it didn’t do anything. A couple of times the “big admin” account lost its powers altogether when I experimented (snapshots are a good thing!). Obviously I’m missing something here. I know there is paid help to get, but this must be more of a misunderstanding from my side, only I don’t se what it is. A slight indication of what I’m missing out would be very helpful!

Kind regards
Bengt

Hi!
I’m really confused here. Two realms ‘superadmins’ and ‘localadmins’ specified in pi.cfg. As soon as I create any admin policy and try to assign it to a realm I get the “Admin actions are defined, but the action policywrite is not allowed!” message and at the same time my admin account loses its previleges. If I log in to the webui with a user from the superadmins realm then, things look strange, only one realm shown (the user realm). I get the same message here if I try to do something. How does the native admin accounts work, the ones I create with pi-manage? How come they lose powers? Can I assign policies to them? I need two “localadmin” accounts soon to enroll tokens, but the only way I can do that seems to be to create full-powered admins with pi-manage, is that correct?
Kind regards
Bengt

No this is not correct. You can define rights for each and every admin.
Read
https://privacyidea.readthedocs.io/en/latest/faq/admins.html
https://privacyidea.readthedocs.io/en/latest/policies/admin.html
thoroughly.

If you see any spot in the documentation, that need polishing, please point out the very spot.

Thanks.

Hi Cornelius!

Thanks for your help! I Finally got some grasp of how it works, though I don’t understand it fully. I guess what confused me most is how the “native” admins (pi-manage admin add) differ from usersource accounts. I really can’t point out any specific item in the docs that confused me, it is more like until I understand the structure the docs are difficult to apply. Anyway, as i gather, the first thing to do when PI is up and running is to crate a superuser policy from the template and assign it directly to admin. This saves a lot of time reverting snapshots… Then, when creating more admin policies the original admin account won’t be affected by them. There were various constraints that resulted in the abovementioned error message, the cause wasn’t clear to me (but I’m getting there). As of now I think the setup works the way I want it to and tomorrow I’ll show the local admins how to enroll tokens and assign them.
All good so far!

Kind regards
Bengt

No need to revert snapshots.

pi-manage policy list

and

pi-manage policy disable fckuppolicy

are your friends.