User policies OTP

I need to create an user and assign policies which allow him to only validate tokens already created by an admin. The user is meant to check if the token is real through ‘otp test’ button or through the ‘get serial’ functionality. Is it possible? Thanks

Why do you want the admin to create tokens?
What kind of tokens would the admin create?

privacyIDEA usually does not act as the user management system.

Yes, you can create users within privacyIDEA.
However, we recommend to use external user sources.

Yes, admins can create tokens.

Yes, users can assign existing tokens. They need the user policy assign.
Read all about policies
and especially user policies

A user assigns a token via the serial number. No, at this point an OTP value is not checked.

Hi Cornelius, thanks for respond me.
What i need it’s basically an admin or an help desk user to enroll totp tokens and another user (a police agent) to check if the tokens is valid throught the otp test button. Hope my explanation is clear cause it’s a bit of messy topic. Looking forward to hear any help from you.

More or less an user that can do only what it’s showed on the screeshot i attach
ed below.

I am using the test instance that you sent me, i create an admin policy but i need to revert the changes, is that possible?

You can not have administrators with different rights on the test instance.

You should install your own setup.

What type of helpdesk user or policy user would verify, if the token was valid?
And why?
If the token is created with a QR code it will be valid. I do not see the need to test it. Can you help me to understand this?

For instance, if a user has been enrolled in a token and wants to have permission to go in an alarmed room(the workplace is a central bank), he is meant to call an agent(police) and prove to be the token owner to get the permission. He should tell the agent the token serial number and his 6 digits, then the agent has to verify that the token serial number and the TOPT match and that it has been assigned to that user(caller) to prove his identity (only a few people can go in these rooms). So 3 different admins: the administrator, an employee who enrolls and assigns the tokens, and an officer who always verifies the token’s value. Hopefully, that’s clear.

I will try to fix this, thanks for your support…last question is how can I create more admin-realms to assign different policies to more admins?