Low privilege account for tokens fetch

Question
1

Hello,

I’m struggling with task of creation admin account with low privilege that
will only fetch authentication items.
I create two accounts with command:

  1. pi-manage admin add admin1
  2. pi-manage admin add admin2

I want to grand admin1 all privilege so it can administrate UI of
privacyIDEA.
Second account should only be able to fetch authentication item and do
nothing else.

Could someone explain me how to accomplish this taks?
I’ve tried setup some policy for those accounts but I’ve only accomplish
situation where on both account I got only fetch privilege.

Thanks,
Michal

2

Hi Michal,

If admin1 is supposed to have all rights, you should set a policy in scope
“admin” with roughyl all actions. Set “admin1” to be use username in the
policy.
Then you can create the policy with the reduced rights.

You can use the policy templates (yellow button in policy UI)

Kind regards
CorneliusAm Freitag, 3. Februar 2017 14:56:14 UTC+1 schrieb Michał Lewandowski:

Hello,

I’m struggling with task of creation admin account with low privilege that
will only fetch authentication items.
I create two accounts with command:

  1. pi-manage admin add admin1
  2. pi-manage admin add admin2

I want to grand admin1 all privilege so it can administrate UI of
privacyIDEA.
Second account should only be able to fetch authentication item and do
nothing else.

Could someone explain me how to accomplish this taks?
I’ve tried setup some policy for those accounts but I’ve only accomplish
situation where on both account I got only fetch privilege.

Thanks,
Michal

3

Hello Cornelius,

Still something is not working for me.
My configuration is:

root@XXX:/etc/privacyidea# cat pi.cfg
import logging

The realm, where users are allowed to login as administrators

SUPERUSER_REALM = [‘super’]

root@XXX:/etc/privacyidea# pi-manage admin list

Name email==============================
admin None
webuser None

From UI:

First account:

Policy name - superuser
Scope - admin
Action (All) -
{ “set”: true, “revoke”: true, “adduser”: true, “enrollSMS”: true,
“policydelete”: true, “managesubscription”: true, “enrollTIQR”: true,
“configdelete”: true, “machinelist”: true, “enrollREMOTE”: true, “setpin”:
true, “resync”: true, “unassign”: true, “smsgateway_write”: true,
“tokenrealms”: true, “enrollSPASS”: true, “eventhandling_write”: true,
“auditlog”: true, “auditlog_download”: true, “deleteuser”: true,
“clienttype”: true, “resolverdelete”: true, “enrollMOTP”: true, “enrollPW”:
true, “enrollHOTP”: true, “enrollQUESTION”: true, “enrollCERTIFICATE”:
true, “copytokenuser”: true, “configwrite”: true, “enrollTOTP”: true,
“enrollREGISTRATION”: true, “enrollYUBICO”: true, “resolverwrite”: true,
“updateuser”: true, “enable”: true, “enrollU2F”: true,
“manage_machine_tokens”: true, “enrollPAPER”: true, “getrandom”: true,
“policywrite”: true, “userlist”: true, “getserial”: true,
“radiusserver_write”: true, “enrollpin”: true, “caconnectordelete”: true,
“caconnectorwrite”: true, “disable”: true, “mresolverdelete”: true,
“copytokenpin”: true, “enrollRADIUS”: true, “smtpserver_write”: true,
“set_hsm_password”: true, “reset”: true, “system_documentation”: true,
“getchallenges”: true, “enroll4EYES”: true, “enrollYUBIKEY”: true,
“fetch_authentication_items”: true, “enrollEMAIL”: true, “enrollDAPLUG”:
true, “mresolverwrite”: true, “losttoken”: true, “enrollSSHKEY”: true,
“importtokens”: true, “triggerchallenge”: true, “assign”: true, “delete”:
true }

Realm - blank
User - admin
Resolver - blank
Client - blank

Second account:

Policy name - superuser
Scope - admin
Action (only for SSH RSA token and OTP) -
{ “fetch_authentication_items”: true, “getserial”: true }
Realm - administrators
User - webuser
Resolver - admins
Client - blank

I still get situation when I can only fetch my credentials and nothing else.
Did I miss something in policy configuration?

I’ve read about similar problem in topic “Unable to create new policy in
admin scope” but it’s seem to work for Sergey Kolosovski.

Thanks,
Michal

4

I’ve also change log level to debug and when I enable my two policy I get
following error message:

[2017-02-09
12:33:05,697][3234][140629611616000][ERROR][privacyidea.lib.auditmodules.sqlaudit:234]
DATA: {‘info’: ‘Admin actions are defined, but the action policywrite is
not allowed!’, ‘administrator’: u’admin’, ‘realm’: None, ‘success’: False,
‘privacyidea_server’: ‘10.206.40.107’, ‘client_user_agent’: ‘chrome’,
‘client’: ‘10.95.110.7’, ‘user’: ‘’, ‘resolver’: ‘’, ‘action_detail’: ‘’,
‘action’: ‘POST /policy/enable/’, ‘serial’: None}

Could someone help me with this problem?

PS. My policy got different names in “Policy name”, first is almighty_admin
and second login. There is mistake with it in my previous post.

Thanks,
Michal

5

Here is also my basic system configuration:

PI.cfg------

PI_HSM: default

PI_LOGFILE: /var/log/privacyidea/privacyidea.log

PI_AUDIT_KEY_PUBLIC: /etc/privacyidea/public.pem

PI_PEPPER: ZmJrpL6Kx9_fMPhqq9uOLfAi

PI_ENCFILE: /etc/privacyidea/enckey

For security reason we do not display the SQL URI, as it may contain the
database credentials.

PI_AUDIT_MODULE: privacyidea.lib.auditmodules.sqlaudit

PI_LOGLEVEL: 20

PI_AUDIT_KEY_PRIVATE: /etc/privacyidea/private.pem

SUPERUSER_REALM: [‘super’, ‘credentials’]

… note:: The SUPERUSER_REALM is a list of defined realms where the users
will have administrative rights when logging in to the web UI.

Local Admins

In addition to the SUPERUSER_REALM there are local administrators stored in
the database. The following administrators are defined:

  • admin

  • webuser

System Base Configuration

UiLoginDisplayRealmBox: 0

AutoResync: 0

splitAtSign: 0

UiLoginDisplayHelpButton: 0

timestamp: 1486648120

ReturnSamlAttributesOnFail: 0

ReturnSamlAttributes: 1

PrependPin: 1

IncFailCountOnFalsePin: 0

Resolver Configuration

The following resolvers are defined. Resolvers are connections to user
stores.
To learn more about resolvers read [#resolvers]_.

admins

* Name of the resolver: admins
* Type of the resolver: passwdresolver

Configuration
.............

fileName: **/home/privacyidea/passwd**

Realm Configuration
-------------------
Several resolvers are grouped into realms.
To learn more about realms read [#realms]_.
The following realms have been defined from the resolvers:

administrators
~~~~~~~~~~~~~~~
* Name of the realm: administrators

**This is the default realm!**

Users in the default realm can authenticate without specifying the realm.
Users not in the default realm always need to specify the realm.

The following resolvers are configured in this realm:

* Name: admins
  Priority: None
  Type: passwdresolver

Policy Configuration
--------------------
Policies define the behaviour of privacyIDEA.
To learn more about policies read [#policies]_.

The following policies are defined in your system:

almighty_admin
~~~~~~~~~~~~~~~~~

time: ****

user: **[u'admin']**

resolver: **[]**

active: **False**

adminrealm: **[u'super']**

condition: **0**

realm: **[]**

client: **[]**

check_all_resolvers: **False**

action: **{u'set': True, u'revoke': True, u'adduser': True, u'enrollSMS': 
True, u'policydelete': True, u'policywrite': True, u'enrollTIQR': True, 
u'configdelete': True, u'machinelist': True, u'enrollREMOTE': True, 
u'setpin': True, u'resync': True, u'unassign': True, u'tokenrealms': True, 
u'enrollSPASS': True, u'auditlog': True, u'enrollPAPER': True, 
u'deleteuser': True, u'enrollEMAIL': True, u'resolverdelete': True, 
u'enrollMOTP': True, u'enrollPW': True, u'enrollHOTP': True, 
u'enrollQUESTION': True, u'enrollCERTIFICATE': True, u'copytokenuser': 
True, u'configwrite': True, u'enrollTOTP': True, u'enrollREGISTRATION': 
True, u'enrollYUBICO': True, u'reset': True, u'enable': True, u'enrollU2F': 
True, u'manage_machine_tokens': True, u'getrandom': True, 
u'system_documentation': True, u'caconnectordelete': True, 
u'caconnectorwrite': True, u'disable': True, u'radiusserver_write': True, 
u'getserial': True, u'enrollRADIUS': True, u'copytokenpin': True, 
u'set_hsm_password': True, u'updateuser': True, u'getchallenges': True, 
u'enroll4EYES': True, u'smtpserver_write': True, 
u'fetch_authentication_items': True, u'losttoken': True, u'enrollYUBIKEY': 
True, u'enrollDAPLUG': True, u'mresolverwrite': True, u'assign': True, 
u'userlist': True, u'enrollSSHKEY': True, u'importtokens': True, u'delete': 
True, u'resolverwrite': True, u'mresolverdelete': True}**

scope: **admin**

login
~~~~~~~~~~~~~~~~~

time: ****

user: **[u'webuser']**

resolver: **[]**

active: **False**

adminrealm: **[u'super']**

condition: **0**

realm: **[]**

client: **[]**

check_all_resolvers: **False**

action: **{u'fetch_authentication_items': True, u'getserial': True}**

scope: **admin**

Machine Configuration
---------------------

**TODO**

Token Configuration
-------------------

**TODO**

CA Configuration
----------------

**TODO**

.. [#resolvers] 
http://privacyidea.readthedocs.org/en/latest/configuration/useridresolvers.htm
.. [#realms] 
http://privacyidea.readthedocs.org/en/latest/configuration/realms.html
.. [#policies] 
http://privacyidea.readthedocs.org/en/latest/policies/index.html
6

Cornelius,

Thanks for your answer. Now everything work great.
I’ve always thought that admin users are from default grouped in realm
super since it’s configured in pi.cfg
SUPERUSER_REALM: [‘super’]

Now everything is clear for me.

Thanks,
Michal