The PI native administrator user created with “pi-manage admin add super” loses its admin privileges after creating an admin Policy.
After adding a new realm to PI as described in 2.5. The Config File — privacyIDEA 3.6.2 documentation, it was created an admin Policy, giving to this new realm admin privileges. After that, the users in the new realm become superadmins but the native user “super” loses its privileges, even if it is included super in the Admin-Realm. Is that the supposed behavior?
Yes. You have no policy for this administrator.
No policy, no rights.
ok, so there is no way to apply any policy to PI native/internal users.
Hm, I am sorry if I created this impression. I did not say this.
You do not have a policy.
A local admin is an administrator with an
adminuser (username) and an empty
adminrealm. You can check this out in the audit log.
You can match these conditions in your admin policies.
Oh, I got it.
To match local PI admins, it should be created a admin policy with an empty Admin-Realm but specifying any local admin as Admin, so the policy don’t fit in all other superuser realms.