System policies

1.6.12. System policies#

Using policies in the scope “system”, it is possible to define which administrator is allowed to read and set system configurations. This applies to configuration of UserIdResolvers, Realms, policies etc.

If no policy with scope “system” is defined, all administrators (normally defined in the Apache configuration file) have full access to the system configuration. Once the first “system” policy is set this behavior changes: Only administrators with a permissive “system” policy can interact with something other than the token management.

This means that at least one system administrator needs “write” permission in order to be able to modify policies. In order to avoid locking the system administrator out, the system will refuse to allow the creation of a restrictive policy if there are no existing policies which allow write access. In this situation a warning will be displayed:


../../_images/lockout_policy_denied.png

Caution

In LinOTP versions prior to 2.8, it was possible to lock a system administrator out of the system by defining a system policy without write permissions.

To avoid a lock out please add as first step a policy with scope “system” and action “read,write” for your own token management username and configure the desired “system” policies for other token administrators afterwards.

An administrator only entrusted with the token management does not need read or write access to the system configuration. If you want to grant him read access (e.g. for better understanding of the system) you can configure the following policy:

  • scope = system

  • action = read

  • user = <comma separated list of administrator names>

The following policy grants write access to the system configuration:

  • scope = system

  • action = write

  • user = <comma separated list of administrator names>

Note

Please be aware: the action “write” does not include “read” permission.

System policies do not refer to any realm.

Note

If a realm admin has no read access to the scope system, he can only retrieve the system configurations that are vital for his administrative tasks. E.g. when he tries to retrieve the list of the Realms, he will only see the realms he as certain rights in. This way you can avoid that a realm admin can see what other realms exist.