Setting policies via command line


Originally published at:

privacyIDEA comes with a central tool “pi-manage”. pi-manage runs on the local privacyIDEA machine. The interesting thing is, that it operates directly on the database level. So you can use pi-manage, even if your webserver is not running.

One important thing is, that you can use pi-manage to manage policies! This way the root user can for example deactivate policies, if the token admin misconfigured something in the Web UI.

But you can even use pi-manage to setup poliies.

Setting up simple policies

To view all configured policies run
pi-manage policy list
This will give you a list of the policies with their names, and whether they are active or not.

To create a new policy use

pi-manage policy create <parameters>

The “create” command accepts the positional arguments “name”, “scope” and “action”.

So to create a policy, that sets otppin=userstore, so that users should authenticate with their LDAP password, you need to run

pi-manage policy create policyname1 authentication otppin=userstore

This quickly creates a policy with the name “policyname1”. Please note, that this does not allow for more complex policies, like with several actions or with user or IP restrictions.

Anyway, this is a quick and easy way to bootstrap your privacyIDEA installation.

If you need more complex setups, you can use the parameter “filename”.

Setting up more complex policies

Maybe you want to create a policy, that requires users to present their LDAP password, but you also want to pass authentication if the user has no tokens or the user does not exist.

But only for a specific realm! Then you can create a JSON config file, that describes this policy and use this file to bootstrap the privacyIDEA configuration.

The file contains a dictionary with the following content:

{ 'action': { 
       u'otppin': u'userstore', 
      'passOnNoToken':True },
   'active': False,
   'adminrealm': [],
   'check_all_resolvers': False,
   'client': [],
   'condition': 0,
   'name': u'policyname2',
   'priority': 17,
   'realm': ['userrealm'],
   'resolver': [],
   'scope': u'authentication',
   'time': u'',
   'user': []

This way you can set all parameters of a policy. In this case we bound the policy to the userrealm “userrealm” and initially deactivated the policy.

You see that using the policy subcommands of the pi-manage tool gives you a lot of possibilities to setup your privacyIDEA system automatically or reconfigure it to a previously defined state.

There are a lot more subcommands of the pi-manage tool, check out the manpage and stop by at the community forum, if you want to discuss any aspects of policies.