User policies OTP

Giovanni · June 14, 2024, 10:12am

I need to create an user and assign policies which allow him to only validate tokens already created by an admin. The user is meant to check if the token is real through ‘otp test’ button or through the ‘get serial’ functionality. Is it possible? Thanks

cornelinux · June 15, 2024, 6:07am

Why do you want the admin to create tokens?
What kind of tokens would the admin create?

privacyIDEA usually does not act as the user management system.

Yes, you can create users within privacyIDEA.
https://privacyidea.readthedocs.io/en/latest/webui/manage_users.html#manage-users
However, we recommend to use external user sources.

Yes, admins can create tokens.

Yes, users can assign existing tokens. They need the user policy assign.
Read all about policies
https://privacyidea.readthedocs.io/en/latest/policies/index.html
and especially user policies
https://privacyidea.readthedocs.io/en/latest/policies/user.html

A user assigns a token via the serial number. No, at this point an OTP value is not checked.

Giovanni · June 17, 2024, 7:43am

Hi Cornelius, thanks for respond me.
What i need it’s basically an admin or an help desk user to enroll totp tokens and another user (a police agent) to check if the tokens is valid throught the otp test button. Hope my explanation is clear cause it’s a bit of messy topic. Looking forward to hear any help from you.
regards
Giovanni

Giovanni · June 17, 2024, 8:16am

More or less an user that can do only what it’s showed on the screeshot i attach
ed below.

Giovanni · June 17, 2024, 8:40am

I am using the test instance that you sent me, i create an admin policy but i need to revert the changes, is that possible?

cornelinux · June 17, 2024, 5:04pm

You can not have administrators with different rights on the test instance.

You should install your own setup.

What type of helpdesk user or policy user would verify, if the token was valid?
And why?
If the token is created with a QR code it will be valid. I do not see the need to test it. Can you help me to understand this?

Giovanni · June 17, 2024, 8:12pm

For instance, if a user has been enrolled in a token and wants to have permission to go in an alarmed room(the workplace is a central bank), he is meant to call an agent(police) and prove to be the token owner to get the permission. He should tell the agent the token serial number and his 6 digits, then the agent has to verify that the token serial number and the TOPT match and that it has been assigned to that user(caller) to prove his identity (only a few people can go in these rooms). So 3 different admins: the administrator, an employee who enrolls and assigns the tokens, and an officer who always verifies the token’s value. Hopefully, that’s clear.

Giovanni · June 18, 2024, 8:45pm

I will try to fix this, thanks for your support…last question is how can I create more admin-realms to assign different policies to more admins?