Unable to create new policy in admin scope

Question
1

Hello Cornelius,
Could you please provide a few steps for troubleshooting “Admin actions are
defined, but this action is not allowed!” issues?
For example, when I logged in into admin scope and admin realm which I had
previously defined, I’m getting this message when trying to add a new
policy for webui scope:"Admin actions are defined, but this action is not
allowed!"
I also have the whole set of options available in my admin realm enabled:
{ “set”: true, “revoke”: true, “adduser”: true, “enrollSMS”: true,
“policydelete”: true, “policywrite”: true, “enrollTIQR”: true,
“configdelete”: true, “machinelist”: true, “enrollREMOTE”: true, “setpin”:
true, “resync”: true, “unassign”: true, “tokenrealms”: true, “enrollSPASS”:
true, “auditlog”: true, “enrollPAPER”: true, “deleteuser”: true,
“enrollEMAIL”: true, “resolverdelete”: true, “enrollMOTP”: true, “enrollPW”:
true, “enrollHOTP”: true, “enrollQUESTION”: true, “enrollCERTIFICATE”: true,
“copytokenuser”: true, “configwrite”: true, “enrollTOTP”: true,
“enrollREGISTRATION”: true, “enrollYUBICO”: true, “resolverwrite”: true,
“updateuser”: true, “enable”: true, “enrollU2F”: true,
“manage_machine_tokens”: true, “getrandom”: true, “userlist”: true,
“getserial”: true, “system_documentation”: true, “caconnectordelete”: true,
“caconnectorwrite”: true, “disable”: true, “mresolverdelete”: true,
“copytokenpin”: true, “enrollRADIUS”: true, “set_hsm_password”: true,
“reset”: true, “getchallenges”: true, “enroll4EYES”: true, “enrollYUBIKEY”:
true, “fetch_authentication_items”: true, “enrollDAPLUG”: true,
“mresolverwrite”: true, “losttoken”: true, “enrollSSHKEY”: true,
“importtokens”: true, “assign”: true, “delete”: true }

But still getting this reject.
I tried to watch on logs while doing this and there’s nothing in
privacyidea.log file in the moment of this message appearance with
PI_LOGLEVEL = logging.DEBUG
in pi.cfg

2

Hi Sergey,

to have an almighty admin you need to leave the user realm blank.

Kind regards
CorneliusAm Montag, den 08.02.2016, 04:00 -0800 schrieb Sergey Kolosovski:

    you probably misconfigured something. I can not tell, since I
    do not see 
    your policies. 
    Maybe you are no admin in an admin realm?

How it could be possible?
Here is how I configured admin realm:
in pi.cfg(SUPERUSER_REALM = [‘superuser’, ‘helpdesk’]) specified two
realm names
Then I configured these realms:

name: otp_admin

Scope: admin

Admin-Realm: superuser

actions: (all available)
User-Realm: name of realm which covers all users of my active
directory. Means that the admin should be able to control all the
users
User-Resolver, Admin, Client: not selected

name: helpdesk_admin
scope: admin
Admin-Realm: helpdesk

action:
{ “reset”: true, “enable”: true, “revoke”: true, “losttoken”: true,
“setpin”: true, “enrollHOTP”: true, “auditlog”: true, “copytokenuser”:
true, “disable”: true, “resync”: true, “unassign”: true,
“copytokenpin”: true, “tokenrealms”: true, “getserial”: true,
“assign”: true }
User-Realm: the same as previous, otp-admin has
User-Resolver, Admin, Client: not selected

To log in as admin I use my AD account name and passwork with
specifying name of admin realm(@superuser)
When logged in, in the upper right corner I see my AD login name
@superuser (admin)

    What do you need admin policies for, anyway?

I need to have separate admin policies

  1. for OTP service administrators with unlimited permissions to
    configure the system

  2. for Help Desk crew for managing tokens for users, helping them,
    enable-disable tokens… Limited admin permissions in two words.

     To enable the logging you need to restart apache or (if using
 nginx) the 
 uwsgi server.

yes, the debug level is enabled with uwsgi restart, you already helped
me with that in previous threads.
It is full of data when I load the page, but when I click create
policy and the error message in WEB UI appears, nothing appears in
logs. I checked with tail -f

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/1afc2d47-432e-40a6-8b7f-5c5bb7d0630c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

3

Hi Sergey,

you probably misconfigured something. I can not tell, since I do not see
your policies.
Maybe you are no admin in an admin realm?
What do you need admin policies for, anyway?

To enable the logging you need to restart apache or (if using nginx) the
uwsgi server.

Kind regards
CorneliusAm Montag, den 08.02.2016, 02:09 -0800 schrieb Sergey Kolosovski:

Hello Cornelius,
Could you please provide a few steps for troubleshooting “Admin
actions are defined, but this action is not allowed!” issues?
For example, when I logged in into admin scope and admin realm which I
had previously defined, I’m getting this message when trying to add a
new policy for webui scope:“Admin actions are defined, but this action
is not allowed!”
I also have the whole set of options available in my admin realm
enabled:
{ “set”: true, “revoke”: true, “adduser”: true, “enrollSMS”: true,
“policydelete”: true, “policywrite”: true, “enrollTIQR”: true,
“configdelete”: true, “machinelist”: true, “enrollREMOTE”: true,
“setpin”: true, “resync”: true, “unassign”: true, “tokenrealms”: true,
“enrollSPASS”: true, “auditlog”: true, “enrollPAPER”: true,
“deleteuser”: true, “enrollEMAIL”: true, “resolverdelete”: true,
“enrollMOTP”: true, “enrollPW”: true, “enrollHOTP”: true,
“enrollQUESTION”: true, “enrollCERTIFICATE”: true, “copytokenuser”:
true, “configwrite”: true, “enrollTOTP”: true, “enrollREGISTRATION”:
true, “enrollYUBICO”: true, “resolverwrite”: true, “updateuser”: true,
“enable”: true, “enrollU2F”: true, “manage_machine_tokens”: true,
“getrandom”: true, “userlist”: true, “getserial”: true,
“system_documentation”: true, “caconnectordelete”: true,
“caconnectorwrite”: true, “disable”: true, “mresolverdelete”: true,
“copytokenpin”: true, “enrollRADIUS”: true, “set_hsm_password”: true,
“reset”: true, “getchallenges”: true, “enroll4EYES”: true,
“enrollYUBIKEY”: true, “fetch_authentication_items”: true,
“enrollDAPLUG”: true, “mresolverwrite”: true, “losttoken”: true,
“enrollSSHKEY”: true, “importtokens”: true, “assign”: true, “delete”:
true }

But still getting this reject.
I tried to watch on logs while doing this and there’s nothing in
privacyidea.log file in the moment of this message appearance with
PI_LOGLEVEL = logging.DEBUG

in pi.cfg

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/21a973bc-bd05-4ee4-8829-a9039656ea60%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

4

Having an attribute not set is more common than having an attribute set.
An attribute not set means something like a wildcard *.

If you define a policy with user-realm=“somerealm”, this policy will
only allow the administrator to do something on the user realm
“somerealm”. But not on any other realm.

I.e. the administrator will not be able to create an policy. I have to
check if he would be able to create a policy in the user realm
“somerealm”, but he is absolutely not allowed to create a policy, that
would contain

user-realm = “”

Please note the “Policy Template” Button in the policy dialog, which
fetches templates from the online repository:

Kind regards
CorneliusAm Montag, den 08.02.2016, 04:55 -0800 schrieb Sergey Kolosovski:

    to have an almighty admin you need to leave the user realm
    blank.

It works now, thank you!
Not quite obvious, though. In an earlier thread you said “The
user-realm is the realm of users, the administrator is
allowed to manage.”, therefore I supposed that when creating a policy
I may specify a user realm of all users for admin-realm. So there’s
still a question - how this setting(user-realm in admin policy) limits
an admin from creating another policy. It didn’t limit me earlier to
configure PI in webui.

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e29a0679-0e18-47ff-9e46-c78729a3805c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

5

to have an almighty admin you need to leave the user realm blank.

It works now, thank you!
Not quite obvious, though. In an earlier thread you said “The user-realm is
the realm of users, the administrator is
allowed to manage.”, therefore I supposed that when creating a policy I may
specify a user realm of all users for admin-realm. So there’s still a
question - how this setting(user-realm in admin policy) limits an admin
from creating another policy. It didn’t limit me earlier to configure PI in
webui.

6

you probably misconfigured something. I can not tell, since I do not see
your policies.
Maybe you are no admin in an admin realm?

How it could be possible?
Here is how I configured admin realm:
in pi.cfg(SUPERUSER_REALM = [‘superuser’, ‘helpdesk’]) specified two realm
names
Then I configured these realms:

name: otp_admin
Scope: admin
Admin-Realm: superuser
actions: (all available)
User-Realm: name of realm which covers all users of my active directory.
Means that the admin should be able to control all the users
User-Resolver, Admin, Client: not selected

name: helpdesk_admin
scope: admin
Admin-Realm: helpdesk
action:
{ “reset”: true, “enable”: true, “revoke”: true, “losttoken”: true, “setpin”
: true, “enrollHOTP”: true, “auditlog”: true, “copytokenuser”: true,
“disable”: true, “resync”: true, “unassign”: true, “copytokenpin”: true,
“tokenrealms”: true, “getserial”: true, “assign”: true }
User-Realm: the same as previous, otp-admin has
User-Resolver, Admin, Client: not selected

To log in as admin I use my AD account name and passwork with specifying
name of admin realm(@superuser)
When logged in, in the upper right corner I see my AD login name @superuser
(admin)

What do you need admin policies for, anyway?

I need to have separate admin policies

  1. for OTP service administrators with unlimited permissions to configure
    the system
  2. for Help Desk crew for managing tokens for users, helping them,
    enable-disable tokens… Limited admin permissions in two words.

To enable the logging you need to restart apache or (if using nginx) the

uwsgi server.

yes, the debug level is enabled with uwsgi restart, you already helped me
with that in previous threads.
It is full of data when I load the page, but when I click create policy and
the error message in WEB UI appears, nothing appears in logs. I checked
with tail -f