Policy for importing tokens

Hi,

I’ve added admin policies to my privacyidea 2.7, so I can restrict
access to the pam-user for privacyidea. I’ve also added policies for my
@admin realm to work with my users in my @jochen.org realm.

Two things that don’t work for me:

  1. I wanted to create a policy for the privacyidea internal admin user,
    but I had no success. Is it possible to create such a policy, and would
    it be a good idea to create such a policy when creating the admin user?

  2. I have a policy for my @admin realm with all admin rights to my
    @jochen.org realm. But when I try to import a token I get:
    Admin actions are defined, but you are not allowed to upload token
    files. My Policy “admin” has:
    scope: admin, admin realm: admin, user realm: jochen.org. All options
    are checked, especially “importtokens”

Any idea what I miss in my policy?

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

My bad!
There is a wrong action ID in the check for token upload.
The policy checker checks for “import” while the policy is
"importtokens".

So you need to either deactivate the admin policies during token import
or you need to manually add the action “import” to the policy on a db
level.

I’ll try that.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Cornelius Kölbel <@cornelinux> writes:

  1. I wanted to create a policy for the privacyidea internal admin user,
    but I had no success. Is it possible to create such a policy, and would
    it be a good idea to create such a policy when creating the admin user?

Yes, you can create such a policy.

Use scope=admin. Do not select an admin realm!
Use the name of the internal admin in the administrator text input.
Now you can select all the admin actions you like.

Hm, that didn’t work for me - and I think I know why. I’ve now created
a new policy, left admin realm unselected and that policy works.

In my tries I first had an admin realm selected in the policy. Later I
changed the policy to not select the admin realm - but if I enter the
rule again, my admin realm is still selected. There seems to be a bug in
changing policies.

You are right.
After unselected a selected realm and saving this, the previously
selected realm is not wiped. :-/

Thanks for the hint.

Kind regards
CorneliusAm Samstag, den 10.10.2015, 17:12 +0200 schrieb Jochen Hein:

This way you could create an internal admin super-user who is allowed to
do everything and have other admins with restricted rights.

Note: You can use pi-manage.py to deactivate policies. (If you locked
yourself out)

I already did both :slight_smile:

Thanks,

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

  1. I wanted to create a policy for the privacyidea internal admin user,
    but I had no success. Is it possible to create such a policy, and would
    it be a good idea to create such a policy when creating the admin user?

Yes, you can create such a policy.

Use scope=admin. Do not select an admin realm!
Use the name of the internal admin in the administrator text input.
Now you can select all the admin actions you like.

Hm, that didn’t work for me - and I think I know why. I’ve now created
a new policy, left admin realm unselected and that policy works.

In my tries I first had an admin realm selected in the policy. Later I
changed the policy to not select the admin realm - but if I enter the
rule again, my admin realm is still selected. There seems to be a bug in
changing policies.

This way you could create an internal admin super-user who is allowed to
do everything and have other admins with restricted rights.

Note: You can use pi-manage.py to deactivate policies. (If you locked
yourself out)

I already did both :slight_smile:

Thanks,

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

HI Jochen,

actually you can delete policies from the web ui.
(If you have the right to delete policies)

Kind regards
CorneliusAm Samstag, den 10.10.2015, 17:34 +0200 schrieb Jochen Hein:

Jochen Hein jochen@jochen.org writes:

In my tries I first had an admin realm selected in the policy. Later I
changed the policy to not select the admin realm - but if I enter the
rule again, my admin realm is still selected. There seems to be a bug in
changing policies.

Now I have some policies to delete - I did that with pi-manage.py. Do
you think that should be possible from the web-UI too?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Jochen Hein <@Jochen_Hein> writes:

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

My bad!
There is a wrong action ID in the check for token upload.
The policy checker checks for “import” while the policy is
"importtokens".

So you need to either deactivate the admin policies during token import
or you need to manually add the action “import” to the policy on a db
level.

I’ll try that.

That works. Thanks again.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

actually you can delete policies from the web ui.
(If you have the right to delete policies)

I do have policydelete=TRUE in my admin policies - but I only have an
"deactivate" button in the web ui (policy detail view). I’ll check
again. Ah, the last column in the policy list has the delete button - I
didn’t see the scroll bar at the bottom until now.

In the detail view of a policy is a deactivate button - there I expected
the delete button.

The first column is “active” - could it be possible to toggle by
clicking or add a deactivate button in the last column too?

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Hi,

I’ve added admin policies to my privacyidea 2.7, so I can restrict
access to the pam-user for privacyidea. I’ve also added policies for my
@admin realm to work with my users in my @jochen.org realm.

Two things that don’t work for me:

  1. I wanted to create a policy for the privacyidea internal admin user,
    but I had no success. Is it possible to create such a policy, and would
    it be a good idea to create such a policy when creating the admin user?

Yes, you can create such a policy.

Use scope=admin. Do not select an admin realm!
Use the name of the internal admin in the administrator text input.
Now you can select all the admin actions you like.

This way you could create an internal admin super-user who is allowed to
do everything and have other admins with restricted rights.

Note: You can use pi-manage.py to deactivate policies. (If you locked
yourself out)

  1. I have a policy for my @admin realm with all admin rights to my
    @jochen.org realm. But when I try to import a token I get:
    Admin actions are defined, but you are not allowed to upload token
    files. My Policy “admin” has:
    scope: admin, admin realm: admin, user realm: jochen.org. All options
    are checked, especially “importtokens”

If the admin is an internal admin, this admin has no realm.
You must leave the admin-realm empty.

Kind regards
CorneliusAm Samstag, den 10.10.2015, 15:08 +0200 schrieb Jochen Hein:

Any idea what I miss in my policy?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi,

I’ve added admin policies to my privacyidea 2.7, so I can restrict
access to the pam-user for privacyidea. I’ve also added policies for my
@admin realm to work with my users in my @jochen.org realm.

Two things that don’t work for me:

  1. I wanted to create a policy for the privacyidea internal admin user,
    but I had no success. Is it possible to create such a policy, and would
    it be a good idea to create such a policy when creating the admin user?

Yes, you can create such a policy.

Use scope=admin. Do not select an admin realm!
Use the name of the internal admin in the administrator text input.
Now you can select all the admin actions you like.

This way you could create an internal admin super-user who is allowed to
do everything and have other admins with restricted rights.

Note: You can use pi-manage.py to deactivate policies. (If you locked
yourself out)

  1. I have a policy for my @admin realm with all admin rights to my
    @jochen.org realm. But when I try to import a token I get:
    Admin actions are defined, but you are not allowed to upload token
    files. My Policy “admin” has:
    scope: admin, admin realm: admin, user realm: jochen.org. All options
    are checked, especially “importtokens”

My bad!
There is a wrong action ID in the check for token upload.
The policy checker checks for “import” while the policy is
“importtokens”.

So you need to either deactivate the admin policies during token import
or you need to manually add the action “import” to the policy on a db
level.

Kind regards
CorneliusAm Samstag, den 10.10.2015, 16:00 +0200 schrieb Cornelius Kölbel:

Am Samstag, den 10.10.2015, 15:08 +0200 schrieb Jochen Hein:

If the admin is an internal admin, this admin has no realm.
You must leave the admin-realm empty.

Kind regards
Cornelius

Any idea what I miss in my policy?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Jochen Hein <@Jochen_Hein> writes:

In my tries I first had an admin realm selected in the policy. Later I
changed the policy to not select the admin realm - but if I enter the
rule again, my admin realm is still selected. There seems to be a bug in
changing policies.

Now I have some policies to delete - I did that with pi-manage.py. Do
you think that should be possible from the web-UI too?

Jochen–
The only problem with troubleshooting is that the trouble shoots back.