Hello, currently in privacyIDEA we can enable admins or users to delete/revoke at the token level.
We are able to preform any action on any token given that the policy allows it.
I think it would be useful to provide more granularity on these policies.
An admin/user can assign/unassign hardware tokens, but can not delete/revoke them.
Where as they can assign/unassign/delete/revoke other tokens such as SPASS and Email.
Do we have any plans to provide this level of control to the policies?
There was an issue on github or question here before.
There are no real plans to do so.
It is not quite clear, how we should match the policy. Should we match for tokentype, regex serial number or…?
There is no destinct way to distinguish between hardware token and software token. Maybe this would have to be added.
Not all policies would make sense to be matched for a tokentype. So maybe we need to rethink and enhancement for the policies.
Don’t get me wrong. It is obviously an interesting requirement, but we need to add some more think-energy to determine the right way how to do it.