Policy assignment confusion

Still on POC/evaluation here. I haven’t touched the PI config for some time and as far as I know it works as it should. Server has been updated regularly and the PI installation gets updates along with the server through apt (Ubuntu 18.04.5 LTS). However, when I tried to do some new experiments creating resolvers and realms, I get the dreaded “Admin actions are defined, but…”
I am sure this worked perfectly alright last time I did something there. Admin policy “Superadmin_policy” with practically all previleges is defined and assigned to realm “superadmins”, to which the account I use definitely belong. In the Audit log entry the Superadmin_policy is not listed (but AdminDashboard and hide_welcome is). If I make alterations in the Superadmin_policy they seem to take effect on the account to some degree, but I cant make it allow for example realm creation. I can’t see that it is overridden by another policy. I also tried to export and import -c the policies with pi-manage but it makes no difference. What am I missing here?

Please note that this is a community forum. You are part of the community. If you are answering more questions, then others might also answer yours! This way you can become a valuable member of the community. Share your experiences!

When asking your question, please provide as many information as possible. We have a blog post about this.

If you have a professional problem you might need professional help with decent response times. In this case consider to get some consultancy or a service level agreement.

Now, go and grab all your information and ask…

It looks like as if you admin policy does not match!
You need to recheck your policy conditions.

Important rule of thumb: Do not overcomplicate things! If you only have a “local” admin, i.e. one you created with pi-manage, it might be the best to only set the admin-name in the conditions. nothing else.

I have only 2 admin policies, one “superuser” (allowed to do everything) and one called local_admins designed for persons who are designated to register tokens for users. One admin account “admin” created by pi-manage. superuser is assigned to admin by name and no other assignments exists for superuser policy. In the audit log, in the policies column, effective admin policies are never shown even though they are effective for the logged in person. The superuser policy appears to be partly effective, i.e. policies can be created, altered and deleted but realms and resolvers can not (Admin actions…). The localadmin_policy appears to be effective as intended for those that are assigned to it.

Please post a screenshot of your policies or the output of

pi-manage policy p_export

from the command line.
Probably you have a misunderstanding of the conditions.

Thanks for helping me! Link to output from p_export: PI - Google Docs
I tried a couple of things, created another local adminaccount, admin2, and if i don’t assign the superuser policy admin2 becomes a regular user with very limited previleges. Assigning admin2 to policy superuser makes the superuser policy effective in almost all respects for admin2, except for managing realms and resolvers. I also noticed that neither of these admin-accounts can remove the realms from the webui policy AdminDashboard (removing one of them was possible but not the last one).
Thanks again for your help!

As I already told you - do not overcomplicate things.
Have you been using LinOTP before? Foreget about it.

For starters in your “superuser” policy empty realm, resolver and user completly!

Why would you have this in the first playe, anyways. (rhetorical question).

Thanks a great lot! A sort of logical lapse on my side here! Clearly if I specify user realms the admin policy only applies to the specified realms, which means that I cannot create new realms etc. Leaving it blank means “any”. I have to admit that I don’t fully understand how policies work yet.
And no, I have not been using LinOTP.
Great thanks!