7.2. Admin Policies¶
If you want to define policies for administrators managing tokens, you need to enter “admin” at the scope field.
Note
As long as there is no policy in the scope “admin” defined, all admins will have access to all functionality. This is the old behavior of LinOTP version 2.2. As soon as the first admin policy is defined, admin policies are checked for each and every administrator.
You may enter several comma separated administrator names into the user field.
You may enter several comma separated actions into the action field. Entering an asterisk ‘*’ here, will allow the administrators to perform all actions.
You may enter several comma separated realm names into the realm field. Entering an asterisk ‘*’ here, will allow the administrators to perform these actions in all realms.
Valid actions are:
- initSPASS
- The administrator is allowed to enroll Simple Pass tokens.
- initHMAC
- The administrator is allowed to enroll HMAC tokens.
- initETNG
- The administrator is allowed to enroll an eToken NG-OTP. As the eToken NG-OTP is also an HMAC token, the administrator will also need to have the action initHMAC.
- initSMS
- The administrator is allowed to enroll SMS tokens.
- initMOTP
- The administrator is allowed to enroll mOTP tokens.
- initREMOTE
- The administrator is allowed to enroll remote tokens.
- initRADIUS
- The administrator is allowed to enroll RADIUS tokens.
- enable
- The administrator is allowed to enable tokens.
- disable
- The administrator is allowed to disable tokens.
- set
- The administrator is allowed to set token properties like MaxFailCount, SynWindowSize.
- setOTPPIN
- The administrator is allowed to set the OTP PIN of tokens.
- setMOTPPIN
- The administrator is allowed to set the mOTP PIN of mOTP tokens.
- setSCPIN
- The administrator is allowed to set smartcard PINs (SO and User) in the database.
- resync
- The administrator is allowed to resynchronize HMAC tokens.
- reset
- The administrator is allowed to reset the Failcounter of tokens.
- assign
- The administrator is allowed to assign tokens to users.
- unassign
- The administrator is allowed to remove the assignment from tokens to users.
- import
- The administrator is allowed to import token description XML files.
- remove
- The administrator is allowed to delete tokens from the database. These tokens are completely removed from the system.
- userlist
- The administrator is allowed to view the users in this realm.
- manageToken
- This action allows to add and remove tokens from a realm. To be able to move tokens from a Realm A to a Realm B, the administrator needs the action manageToken both in Realm A and in Realm B.
- getserial
- This action allows the administrator to use the getSerialByOtp tool.
- copytokenpin
- This action allows the administrator to use the copyTokenPin tool. This is used to copy the OTP PIN of one token to another token without the administrator knowing the PIN.
- copytokenuser
- This action allows the administrator to use the copyTokenUser tool. This is used to copy the User of one token to another token.
- losttoken
- This action allows the administrator to use to lost token function.
- getotp
- This action allows the administrator to run the get OTP workflow for tokens in the specified realm.