Self-service of the admins

Hi all,

we got some problems regarding the self-service of our admins. At first something about our topology:
We defined different groups of admins: Superusers, Managers and Helpdesk. Beneath them a defined group of users, i will call them “externals”.

  • Superusers can do everything
  • Managers can create new externals and enroll registration tokens for them
  • Helpdesk can see all externals do some janitor-stuff like resetting locked tokens

For the externals everything is working fine - they get their registration token and then can enroll a TOTP token for them, with which they can login too.

After hours of crawling through the policies and the forums, we were not able to get some self-service working for our admins, especially they cannot enroll a token for themselves if they don’t already own one.

We only got policies in a functioning state, if the realm is removed from the SUPERUSER_REALM in the cfg file.

For example the goal is, that the Managers are forced on the first login (LDAP based) to enroll a TOTP token and after that, they only can login with their password+OTP.
We got the PW+OTP login for the Managers working, but only if the token is created and assigned by an superuser.

Is this a non foreseen functionality for admins?

Greets from Wiesbaden, DE

Hello @Schnookeuz

welcome to privacyIDEA.

You are right. This is actually not possible.
A manager can enroll tokens for other managers and thus also for himself. But an admin actually always acts on others.

You might need to do some tricks with a kind of shadow realm where the managers are contained as normal users and then you could use event handlers to reassign the tokens to the managers. Or a lot more…

Well, it might not have been planned explicitly. But it is the way it turns out by the concept of amdins and users.

Greetings from northern Hesse to southern Hesse.

1 Like