Hello Cornelius,
the policy are as my first post:
Name = superuser
scope = admin
action = set, revoke, adduser,
enrollSMS, policydelete, policywrite, enrollTIQR, configdelete,
machinelist, enrollREMOTE, setpin, resync, unassign, tokenrealms,
enrollSPASS, auditlog, enrollPAPER, deleteuser, enrollEMAIL,
resolverdelete, enrollMOTP, enrollPW, enrollHOTP, enrollQUESTION,
enrollCERTIFICATE, copytokenuser, configwrite, enrollTOTP,
enrollREGISTRATION, enrollYUBICO, resolverwrite, updateuser, enable,
enrollU2F, manage_machine_tokens, getrandom, userlist, getserial,
radiusserver_write, system_documentation, caconnectordelete,
caconnectorwrite, disable, mresolverdelete, copytokenpin, enrollRADIUS,
smtpserver_write, set_hsm_password, reset, getchallenges, enroll4EYES,
enrollYUBIKEY, fetch_authentication_items, enrollDAPLUG, mresolverwrite,
losttoken, enrollSSHKEY, importtokens, assign, delete
realm = a, b
resolver = a-mysql, b-mysql
user = admin
Name = admin_b
scope = admin
action
= set, revoke, adduser, resync, unassign, tokenrealms, deleteuser,
enrollTOTP, enrollREGISTRATION, updateuser, enable, userlist, getserial,
disable, reset, getchallenges, losttoken, assign, delete
realm = b
resolver = b-mysql
user = admin_b
Administrator "admin" can't edit/add/change anything.
For example I can't add a new "generic" policy or edit the first policy.
Thanks again
---
Sim