Hi,
I’ve added admin policies to my privacyidea 2.7, so I can restrict
access to the pam-user for privacyidea. I’ve also added policies for my
@admin realm to work with my users in my @jochen.org realm.
Two things that don’t work for me:
- I wanted to create a policy for the privacyidea internal admin user,
but I had no success. Is it possible to create such a policy, and would
it be a good idea to create such a policy when creating the admin user?
Yes, you can create such a policy.
Use scope=admin. Do not select an admin realm!
Use the name of the internal admin in the administrator text input.
Now you can select all the admin actions you like.
This way you could create an internal admin super-user who is allowed to
do everything and have other admins with restricted rights.
Note: You can use pi-manage.py to deactivate policies. (If you locked
yourself out)
- I have a policy for my @admin realm with all admin rights to my
@jochen.org realm. But when I try to import a token I get:
Admin actions are defined, but you are not allowed to upload token
files. My Policy “admin” has:
scope: admin, admin realm: admin, user realm: jochen.org. All options
are checked, especially “importtokens”
My bad!
There is a wrong action ID in the check for token upload.
The policy checker checks for “import” while the policy is
“importtokens”.
So you need to either deactivate the admin policies during token import
or you need to manually add the action “import” to the policy on a db
level.
Kind regards
CorneliusAm Samstag, den 10.10.2015, 16:00 +0200 schrieb Cornelius Kölbel:
Am Samstag, den 10.10.2015, 15:08 +0200 schrieb Jochen Hein:
If the admin is an internal admin, this admin has no realm.
You must leave the admin-realm empty.
Kind regards
Cornelius
Any idea what I miss in my policy?
Jochen
–
The only problem with troubleshooting is that the trouble shoots back.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)