6.1. Admin Policies¶
If you want to define policies for administrators managing tokens, you need to enter “admin” at the scope field.
Note
As long as there is no policy in the scope “admin” defined, all admins will have access to all functionality. This is the old behavior of LinOTP version 2.2. As soon as the first admin policy is defined, admin policies are checked for each and every administrator.
You may enter several comma separated administrator names into the user field.
You may enter several comma separated actions into the action field. Entering an asterisk ‘*’ here, will allow the administrators to perform all actions.
You may enter several comma separated realm names into the realm field. Entering an asterisk ‘*’ here, will allow the administrators to perform these actions in all realms.
Valid actions are:
initSPASS
The administrator is allowed to enroll Simple Pass tokens.
initHMAC
The administrator is allowed to enroll HMAC tokens.
initETNG
The administrator is allowed to enroll an eToken NG-OTP. As the eToken NG-OTP is also an HMAC token, the administrator will also need to have the action initHMAC.
initSMS
The administrator is allowed to enroll SMS tokens.
initMOTP
The administrator is allowed to enroll mOTP tokens.
initREMOTE
The administrator is allowed to enroll remote tokens.
initRADIUS
The administrator is allowed to enroll RADIUS tokens.
enable
The administrator is allowed to enable tokens.
disable
The administrator is allowed to disable tokens.
set
The administrator is allowed to set token properties like MaxFailCount, SynWindowSize.
setOTPPIN
The administrator is allowed to set the OTP PIN of tokens.
setMOTPPIN
The administrator is allowed to set the mOTP PIN of mOTP tokens.
setSCPIN
The administrator is allowed to set smartcard PINs (SO and User) in the database.
resync
The administrator is allowed to resynchronize HMAC tokens.
reset
The administrator is allowed to reset the fail counter of tokens.
assign
The administrator is allowed to assign tokens to users.
unassign
The administrator is allowed to remove the assignment from tokens to users.
import
The administrator is allowed to import token description XML files.
remove
The administrator is allowed to delete tokens from the database. These tokens are completely removed from the system.
userlist
The administrator is allowed to view the users in this realm.
manageToken
This action allows to add and remove tokens from a realm. To be able to move tokens from a Realm A to a Realm B, the administrator needs the action manageToken both in Realm A and in Realm B.
getserial
This action allows the administrator to use the getSerialByOtp tool.
copytokenpin
This action allows the administrator to use the copyTokenPin tool. This is used to copy the OTP PIN of one token to another token without the administrator knowing the PIN.
copytokenuser
This action allows the administrator to use the copyTokenUser tool. This is used to copy the User of one token to another token.
losttoken
This action allows the administrator to use to lost token function.
getotp
This action allows the administrator to run the get OTP workflow for tokens in the specified realm. Please be aware: you have to enter at least one valid administrator name in the field
user
- a*
will not work and you must set a realm (*
will work here).