Policy to disable delete of only one token type

Hi, how are you?

I am using event handler to create the SMS token for users on the first login, to avoid creating several tokens, I only enroll the SMS token when the user has no token.

Event handler:

[ “auth” ] Token pre {“logged_in_user”:“user”,“realm”:“realm_user_corp.xxxxxxxxx.com.br”,“user_token_number”:“0”} enroll { “dynamic_phone”: “True”, “sms_identifier”: “test”, “tokentype”: “sms”, “user”: “True” }

This is working fine.

What I am trying to achieve:

The user must not be allowed to modify or delete the SMS token, this is immutable.

The user is only allowed to enroll and manage push / email tokens.

So I have created 2 policies with filters:

1 - disabled delete of SMS:
user { “”: true }
Condition: active / token tokentype equals sms

2 - allow email and push
user { “delete”: true, “enrollEMAIL”: true, “enrollPUSH”: true }
token tokentype equals email

It is not working, I cannot delete, but I cannot enroll, I am getting the message below:

Policy ‘sssss_2’ has conditions on tokens, but a token object is not available.

Is this scenario possible to be implemented?



Read the error message:

Policy ‘sssss_2’ has conditions on tokens, but a token object is not available.

Then read the documentation especially the Note:, preferrably the whole chapter about conditions.

Then take a look at your audit log and it should open up your eyes.


Many thanks for opening my mind, I have changed my logical.

It is easier than I was trying to do.

I had removed the delete permission of my “default” user policy and I have created a new policy with high priority with only delete permission and the filter below:

Active: yes
Section: token
Key: tokenype
Comparator: not equals
Value: sms


1 Like