Remove enroll token from menu

Giovanni · August 21, 2024, 2:10pm

I need to remove the renroll token button but only for users logged in belonging to a specific super-realm. Is it possible?

cornelinux · August 22, 2024, 6:17am

There is no specific right to reenroll/rollover a token. It comes with the right to enroll this specific token.

So if you want to remove the button, you need to adapt the template.
See: 16.1. Customization — privacyIDEA 3.10dev1 documentation

Can you elaborate on your scenario, why you want to do this?

Giovanni · August 22, 2024, 11:29am

Hi Cornelius, thanks for answering me. Even tough PY is not an user managment app, i nedeed to create different kind of users (with admin privileges) each one with a specific policy assigned. For instance if users logged in belonging to the realm ‘secretary’ are allowed to enroll new tokens, meanwhile an user belong to the realm ‘pdc’ is not allowed to do that. I assigned the policies and it’s working fine, but the ‘enroll button’ below the ‘token list’ button is still there.
… ```

<button>
<span  style="visibility: {% if loggedInUser.realm === 'pdc' %}hidden
          {% else %}visible {% endif %};">
</button>
```I tought something like the code above applied to the html template was going to work but it's not actually work

Giovanni · August 22, 2024, 2:29pm

One more question is why i can’t remove the pin/password input field and label in the enroll token page, even if i have completely deleted the div in the template (token.enroll.html), it is still visible…how is that?

cornelinux · August 23, 2024, 10:18am

OK, I see it is about enrolling the token in the first place, not about re-enrollment.

You can use the admin policies to define, who is allowed to enroll which tokens types.
You can then give the pdc admins no enrollment rights at all. Then this list of the tokentypes to enroll will be empty. I am currently not sure, if the enroll-menu-entry will disappear.

But if this will be changed, I would recommend to test for an empty tokentype-list instead of your individueal realm name.

Giovanni · August 23, 2024, 11:29am

Hi, yes i have already used the admin policy, in fact the “pdc” users are not allowed to enroll any tokens cause the list of token types is empty. I just wanted to know if it was possible to delete the enroll menu entry but if it’s not i will carry on…just let me know if you have time, how delete the pin/password entry in the enroll-token page…i deleted the div in the template but it still appear…