Unable to create new policy in admin scope
145 views
Skip to first unread message
Sergey Kolosovski
Feb 8, 2016, 5:09:51 AM2/8/16
to privacyidea
Hello Cornelius,
But still getting this reject.
Could you please provide a few steps for troubleshooting "Admin actions are defined, but this action is not allowed!" issues?
For example, when I logged in into admin scope and admin realm which I had previously defined, I'm getting this message when trying to add a new policy for webui scope:"Admin actions are defined, but this action is not allowed!"
I also have the whole set of options available in my admin realm enabled:
{ "set": true, "revoke": true, "adduser": true, "enrollSMS": true, "policydelete": true, "policywrite": true, "enrollTIQR": true, "configdelete": true, "machinelist": true, "enrollREMOTE": true, "setpin": true, "resync": true, "unassign": true, "tokenrealms": true, "enrollSPASS": true, "auditlog": true, "enrollPAPER": true, "deleteuser": true, "enrollEMAIL": true, "resolverdelete": true, "enrollMOTP": true, "enrollPW": true, "enrollHOTP": true, "enrollQUESTION": true, "enrollCERTIFICATE": true, "copytokenuser": true, "configwrite": true, "enrollTOTP": true, "enrollREGISTRATION": true, "enrollYUBICO": true, "resolverwrite": true, "updateuser": true, "enable": true, "enrollU2F": true, "manage_machine_tokens": true, "getrandom": true, "userlist": true, "getserial": true, "system_documentation": true, "caconnectordelete": true, "caconnectorwrite": true, "disable": true, "mresolverdelete": true, "copytokenpin": true, "enrollRADIUS": true, "set_hsm_password": true, "reset": true, "getchallenges": true, "enroll4EYES": true, "enrollYUBIKEY": true, "fetch_authentication_items": true, "enrollDAPLUG": true, "mresolverwrite": true, "losttoken": true, "enrollSSHKEY": true, "importtokens": true, "assign": true, "delete": true }
But still getting this reject.
I tried to watch on logs while doing this and there's nothing in privacyidea.log file in the moment of this message appearance with
PI_LOGLEVEL = logging.DEBUG
in pi.cfg
Cornelius Kölbel
Feb 8, 2016, 5:36:50 AM2/8/16
to priva...@googlegroups.com
Hi Sergey,
you probably misconfigured something. I can not tell, since I do not see
your policies.
Maybe you are no admin in an admin realm?
What do you need admin policies for, anyway?
To enable the logging you need to restart apache or (if using nginx) the
uwsgi server.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/21a973bc-bd05-4ee4-8829-a9039656ea60%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
you probably misconfigured something. I can not tell, since I do not see
your policies.
Maybe you are no admin in an admin realm?
What do you need admin policies for, anyway?
To enable the logging you need to restart apache or (if using nginx) the
uwsgi server.
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/21a973bc-bd05-4ee4-8829-a9039656ea60%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Sergey Kolosovski
Feb 8, 2016, 7:00:13 AM2/8/16
to privacyidea
you probably misconfigured something. I can not tell, since I do not see
your policies.
Maybe you are no admin in an admin realm?
How it could be possible?
Here is how I configured admin realm:
in pi.cfg(SUPERUSER_REALM = ['superuser', 'helpdesk']) specified two realm names
Then I configured these realms:
name: otp_admin
Scope: admin
Admin-Realm: superuser
actions: (all available)
User-Realm: name of realm which covers all users of my active directory. Means that the admin should be able to control all the users
User-Resolver, Admin, Client: not selected
name: helpdesk_admin
scope: admin
Admin-Realm: helpdesk
action:
{ "reset": true, "enable": true, "revoke": true, "losttoken": true, "setpin": true, "enrollHOTP": true, "auditlog": true, "copytokenuser": true, "disable": true, "resync": true, "unassign": true, "copytokenpin": true, "tokenrealms": true, "getserial": true, "assign": true }User-Resolver, Admin, Client: not selected
To log in as admin I use my AD account name and passwork with specifying name of admin realm(@superuser)
When logged in, in the upper right corner I see my AD login name @superuser (admin)
What do you need admin policies for, anyway?
I need to have separate admin policies
1) for OTP service administrators with unlimited permissions to configure the system
2) for Help Desk crew for managing tokens for users, helping them, enable-disable tokens.. Limited admin permissions in two words.
To enable the logging you need to restart apache or (if using nginx) the
uwsgi server.
yes, the debug level is enabled with uwsgi restart, you already helped me with that in previous threads.
It is full of data when I load the page, but when I click create policy and the error message in WEB UI appears, nothing appears in logs. I checked with tail -f
Cornelius Kölbel
Feb 8, 2016, 7:14:27 AM2/8/16
to priva...@googlegroups.com
Hi Sergey,
to have an almighty admin you need to leave the user realm blank.
Kind regards
Cornelius
to have an almighty admin you need to leave the user realm blank.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/1afc2d47-432e-40a6-8b7f-5c5bb7d0630c%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
Sergey Kolosovski
Feb 8, 2016, 7:55:29 AM2/8/16
to privacyidea
to have an almighty admin you need to leave the user realm blank.
It works now, thank you!
Not quite obvious, though. In an earlier thread you said "The user-realm is the realm of users, the administrator is
allowed to manage.", therefore I supposed that when creating a policy I may specify a user realm of all users for admin-realm. So there's still a question - how this setting(user-realm in admin policy) limits an admin from creating another policy. It didn't limit me earlier to configure PI in webui.
Cornelius Kölbel
Feb 8, 2016, 8:15:25 AM2/8/16
to priva...@googlegroups.com
Having an attribute not set is more common than having an attribute set.
An attribute not set means something like a wildcard *.
If you define a policy with user-realm="somerealm", this policy will
only allow the administrator to do something on the user realm
"somerealm". But not on any other realm.
I.e. the administrator will not be able to create an policy. I have to
check if he would be able to create a policy in the user realm
"somerealm", but he is absolutely not allowed to create a policy, that
would contain
user-realm = ""
Please note the "Policy Template" Button in the policy dialog, which
fetches templates from the online repository:
https://github.com/privacyidea/policy-templates
Kind regards
Cornelius
An attribute not set means something like a wildcard *.
If you define a policy with user-realm="somerealm", this policy will
only allow the administrator to do something on the user realm
"somerealm". But not on any other realm.
I.e. the administrator will not be able to create an policy. I have to
check if he would be able to create a policy in the user realm
"somerealm", but he is absolutely not allowed to create a policy, that
would contain
user-realm = ""
Please note the "Policy Template" Button in the policy dialog, which
fetches templates from the online repository:
https://github.com/privacyidea/policy-templates
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/e29a0679-0e18-47ff-9e46-c78729a3805c%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages