Separate policies between users

Good day.
Can you please tell me how to properly separate policies between users?

Now I have it set up like this:
There is an OU to which the LDAP resolver is configured. It contains users (1) who are allowed access to VPN around the clock.

Now there is a need to give other users (2) access, which is limited in time.
I found a description of time limits in the help.
If I understand correctly, I need to create copies of the current policies using the valid time field for these users.
I can create a new LDAP resolver for users (2) that will look at another OU and use it in the set of copies of the rules in the user-realm field.

But how will the request be processed if the user is in two groups at the same time? For example, by mistake, the operator will add it to both groups.
Or am I thinking in the wrong direction?
Thank you in advance.

Has no one created rules in UI for more than one group?
I’m not asking you to give me a customized solution - I’ll try to do it myself.
I ask you to suggest the logic of such work so that I initially start doing it right.

The problem is, that most people come here to ask questions and not to answer those.

It is of course possible but complicated. And I think you chose a wrong approach.

Note, that if you define a resolver in a realm, you are creating a new privacyIDEA logically.
A user is defined by uid, resolver and realm.
Yes maybe we can enhance this documentation: 5.2. Realms — privacyIDEA 3.8 documentation

So if you have a realm with several resolvers and an ldap object is found by several resolvers, these are different users and only the first can authenticate.
So you need to think hard, if you really want to split users in different resolvers or if you want to use other means to provide different policies to users.

Thank you.
Then another option that came to my mind:

Suppose I added all users who can generally use VPN to the OU (CN=Allow_VPN,…,DC=com) that I specified in the resolver.
All these users can use VPN unlimitedly.
I found this - 7.9. Extended Policy Conditions — privacyIDEA 3.8 documentation
This thought came up:
I am taking a user in my AD and adding it to a restricted group (CN=Allow_VPN_Time_Restr,…,DC=com). So now he is in two groups.
I create a new policy and add Allow_VPN_Time_Restr group to the additional conditions. I indicate the time at which he CANNOT work (for example, Mon-Fri: 19-7)

What do I need to enable in order for the prohibit rule to work?
The example disables the WebUI login, but I did not find similar items in the scope of authorization or authentication.

Will such logic work in principle? If so, I could make several such policies that would work at different times for different groups of people.

UPD
I found “authorized: deny_access” in authorization.
It seems that the policy works out exactly the way I wanted.
2 other questions):

  1. SMS continue to arrive(
    I tried to create an empty policy with the same restrictions as authorization - keep coming.
    I thought to change the text in SMS (You are forbidden to use this service from 19 to 7") - getting error

The PIN was correct, but the SMS could not be sent! (PolicyError(description="There are policies with conflicting actions: [‘otppin_userstore’, ‘otppin_userstore_time_restrictions’]

  1. When connecting, I get an error

ERR401 : User is not authorized to authenticate under these conditions.

Is it possible to change the text of the error, since it does not tell the user anything?
For example, write “You are prohibited from using this service from 19 to 7”)

I have very little left))) :sweat:

Attached is a screenshot of my policies:

Question number 1 - solved.
Question 2 is relevant and cannot be solved by me on my own.
Is it possible to change the text of the 401 error?

ERR401 : User is not authorized to authenticate under these conditions.