.. _policy_checker:

Policy checker
~~~~~~~~~~~~~~

.. index:: policy checker

When configuring complicated policies, you may wonder if you configured the policies correctly and if the user
``maria`` in realm ``realm1`` is able to enroll a Google Authenticator in the Selfservice Portal.

For this you can use the policy checker in the Web UI that can be accessed via `Tools` -> `Check policy`.
(see :ref:`figure_policy_checker`).

.. _figure_policy_checker:

.. figure:: images/webui_popup_check_policy.png
   :width: 70%

   **The policy checker dialog**

The policy checker simulates the action with the user, that you enter in the dialog. 

Then the system tells you, which policy will be applied. Therefore you always need to enter the username, the realm and
an action, that you want to check.

.. note:: You can also check enrollment or authentication policies like ``maxtoken`` or ``otppin`` to determine,
          how many tokens a certain user is allowed to own of if a certain user needs to authenticate with his OTP PIN
          or his directory password.