6.1. Admin Policies

If you want to define policies for administrators managing tokens, you need to enter “admin” at the scope field.

Note

As long as there is no policy in the scope “admin” defined, all admins will have access to all functionality. This is the old behavior of LinOTP version 2.2. As soon as the first admin policy is defined, admin policies are checked for each and every administrator.

You may enter several comma separated administrator names into the user field.

You may enter several comma separated actions into the action field. Entering an asterisk ‘*’ here, will allow the administrators to perform all actions.

You may enter several comma separated realm names into the realm field. Entering an asterisk ‘*’ here, will allow the administrators to perform these actions in all realms.

Valid actions are:

initSPASS

The administrator is allowed to enroll Simple Pass tokens.

initHMAC

The administrator is allowed to enroll HMAC tokens.

initETNG

The administrator is allowed to enroll an eToken NG-OTP. As the eToken NG-OTP is also an HMAC token, the administrator will also need to have the action initHMAC.

initSMS

The administrator is allowed to enroll SMS tokens.

initMOTP

The administrator is allowed to enroll mOTP tokens.

initREMOTE

The administrator is allowed to enroll remote tokens.

initRADIUS

The administrator is allowed to enroll RADIUS tokens.

enable

The administrator is allowed to enable tokens.

disable

The administrator is allowed to disable tokens.

set

The administrator is allowed to set token properties like MaxFailCount, SynWindowSize.

setOTPPIN

The administrator is allowed to set the OTP PIN of tokens.

setMOTPPIN

The administrator is allowed to set the mOTP PIN of mOTP tokens.

setSCPIN

The administrator is allowed to set smartcard PINs (SO and User) in the database.

resync

The administrator is allowed to resynchronize HMAC tokens.

reset

The administrator is allowed to reset the fail counter of tokens.

assign

The administrator is allowed to assign tokens to users.

unassign

The administrator is allowed to remove the assignment from tokens to users.

import

The administrator is allowed to import token description XML files.

remove

The administrator is allowed to delete tokens from the database. These tokens are completely removed from the system.

userlist

The administrator is allowed to view the users in this realm.

manageToken

This action allows to add and remove tokens from a realm. To be able to move tokens from a Realm A to a Realm B, the administrator needs the action manageToken both in Realm A and in Realm B.

getserial

This action allows the administrator to use the getSerialByOtp tool.

copytokenpin

This action allows the administrator to use the copyTokenPin tool. This is used to copy the OTP PIN of one token to another token without the administrator knowing the PIN.

copytokenuser

This action allows the administrator to use the copyTokenUser tool. This is used to copy the User of one token to another token.

losttoken

This action allows the administrator to use to lost token function.

getotp

This action allows the administrator to run the get OTP workflow for tokens in the specified realm. Please be aware: you have to enter at least one valid administrator name in the field user - a * will not work and you must set a realm (* will work here).