Policy Application Issues

I have two policy issues.

First Issue: I get an error that says Admin actions are defined, but the action policywrite is not allowed! when the helpdesk policy is enabled on the local admin account and users in the admin realm.

Second Issue: When all policies are enabled, the HelpDesk policy is not applying to users in the ldap resolver. These users are only getting the SelfService policy.

example (assigned ldap resolvers helpdesk, users)
admin (assigned ldap resolver admin, set as superuser realm in pi.cfg)

LDAP Resolvers
admin: LDAP filter configured to look for users in the AD group, admin.
helpdesk: LDAP filter configured to look for users in the AD group, helpdesk
users: LDAP filter configured to exclude users from ad groups admin and helpdesk
(Users are exclusive to one group or the other, a user does not exist in both admin group and helpdesk group)

All policies are templates

priority 1
User-Realm: admin
User-Resolver: admin

priority 2
User-Realm: example
User-Resolver: HelpDesk

priority 3
User-Realm: example
User-Resolver: Users

It is not quite clear how your policies look like, but I have a suspicion:

If you add an admin realm and admin names in one policy, this will only match on admins with this name in this realm. You get the rest…

Your helpdesk policy probably is a policy in scope admin. This is not used for normal users. => works as expected.

@cornelinux, I’ll approach it from a different angle because I think I’m trying to use it in an unintended way.

I can only have one realm. In this realm, I want to giver superuser rights to one AD group, helpdesk level rights to another AD group, and then only selfservice rights to the remaining users. Is this possible?

I was assuming I could create the LDAP resolvers for these user groups and then filter the policies with them in the User-Resolver field. However, that doesn’t work like I expected it to or I am missing a setting.

This is what my policies look like:

This is what the superuser policy looks like


No, this is not possible. A realm is either an administrative realm by defining this in the pi.cfg or a user realm. An administrator can manage token for other userts. A user can only manage his own tokens.

In your case, you need three realms

  1. for administrators
  2. helpdesk
  3. users.

Why do you think, that you can only have one realm?

I finally got it figured out and just the way you mentioned. The thought behind needing a single realm was because I am integrating with ADFS and the connector only allows the specification of a single realm. I later realized that I could have one realm include all users, ignorance or not enough sleep kept me from that realization.

I need to revisit the policies again as well, its been about a week since I last was in PrivacyIDEA, but at the time I was really confused as to how the policies applied…like half the policy enforcement was from one perspective and the other half was from an alternate perspective. I’ll take another look and form a better response/question, if necessary.

Appreciate your time though @cornelinux