Policy Application Issues

#1

I have two policy issues.

First Issue: I get an error that says Admin actions are defined, but the action policywrite is not allowed! when the helpdesk policy is enabled on the local admin account and users in the admin realm.

Second Issue: When all policies are enabled, the HelpDesk policy is not applying to users in the ldap resolver. These users are only getting the SelfService policy.


Realms
example (assigned ldap resolvers helpdesk, users)
admin (assigned ldap resolver admin, set as superuser realm in pi.cfg)


LDAP Resolvers
admin: LDAP filter configured to look for users in the AD group, admin.
helpdesk: LDAP filter configured to look for users in the AD group, helpdesk
users: LDAP filter configured to exclude users from ad groups admin and helpdesk
(Users are exclusive to one group or the other, a user does not exist in both admin group and helpdesk group)


Policies
All policies are templates

superuser
priority 1
User-Realm: admin
User-Resolver: admin

helpdesk
priority 2
User-Realm: example
User-Resolver: HelpDesk

selfservice
priority 3
User-Realm: example
User-Resolver: Users

0 Likes

#2

It is not quite clear how your policies look like, but I have a suspicion:

If you add an admin realm and admin names in one policy, this will only match on admins with this name in this realm. You get the rest…

Your helpdesk policy probably is a policy in scope admin. This is not used for normal users. => works as expected.

0 Likes

#3

@cornelinux, I’ll approach it from a different angle because I think I’m trying to use it in an unintended way.

I can only have one realm. In this realm, I want to giver superuser rights to one AD group, helpdesk level rights to another AD group, and then only selfservice rights to the remaining users. Is this possible?

I was assuming I could create the LDAP resolvers for these user groups and then filter the policies with them in the User-Resolver field. However, that doesn’t work like I expected it to or I am missing a setting.

This is what my policies look like:
image

This is what the superuser policy looks like

image

0 Likes

#4

No, this is not possible. A realm is either an administrative realm by defining this in the pi.cfg or a user realm. An administrator can manage token for other userts. A user can only manage his own tokens.

In your case, you need three realms

  1. for administrators
  2. helpdesk
  3. users.

Why do you think, that you can only have one realm?

0 Likes