1.6.2. Admin Policies#

If you want to define policies for administrators managing tokens, you need to enter “admin” at the scope field.

Note

As long as there is no policy in the scope “admin” defined, all admins will have access to all functionality. This is the old behavior of LinOTP version 2.2. As soon as the first admin policy is defined, admin policies are checked for each and every administrator.

Note

the ‘show’ permission is an implicit permission. As soon as any admin policy for an administrator is defined, the administrator will be able to query all tokens of the realm in scope of this policy.

You may enter several comma separated administrator names into the user field.

You may enter several comma separated actions into the action field. Entering an asterisk ‘*’ here, will allow the administrators to perform all actions.

You may enter several comma separated realm names into the realm field. Entering an asterisk ‘*’ here, will allow the administrators to perform these actions in all realms.

Valid actions are:

init<TOKENTYPE>: The administrator is allowed to enroll tokens of that type. Replace <TOKENTYPE> with the type you want to allow the administrator. List multiple init<TOKENTYPE> actions for each type you want to enable. Examples: initSMS or initTOTP.
enable: The administrator is allowed to enable tokens.
disable: The administrator is allowed to disable tokens.
set: The administrator is allowed to set token properties like MaxFailCount, SynWindowSize.
setOTPPIN: The administrator is allowed to set the OTP PIN of tokens.
setMOTPPIN: The administrator is allowed to set the mOTP PIN of mOTP tokens.
setSCPIN: The administrator is allowed to set smartcard PINs (SO and User) in the database.
resync: The administrator is allowed to resynchronize HMAC tokens.
reset: The administrator is allowed to reset the fail counter of tokens.
assign: The administrator is allowed to assign tokens to users.
unassign: The administrator is allowed to remove the assignment from tokens to users.
import: The administrator is allowed to import token description XML files.
remove: The administrator is allowed to delete tokens from the database. These tokens are completely removed from the system.
userlist: The administrator is allowed to view the users in this realm.
tokenowner: This action allows the administrator to use the api /admin/getTokenOwner, used in the _losttoken_ workflow in the /manage user interface.
checkstatus: The administrator is allowed to use the api /admin/checkstatus to show the status of one or more challenges.
manageToken: This action allows to add and remove tokens from a realm. To be able to move tokens from a Realm A to a Realm B, the administrator needs the action manageToken both in Realm A and in Realm B.
getserial: This action allows the administrator to use the getSerialByOtp tool.
copytokenpin: This action allows the administrator to use the copyTokenPin tool. This is used to copy the OTP PIN of one token to another token without the administrator knowing the PIN.
copytokenuser: This action allows the administrator to use the copyTokenUser tool. This is used to copy the User of one token to another token.
losttoken: This action allows the administrator to use to lost token function.
totp_lookup: The administrator is allowed to use the api /admin/totp_lookup to get information for a past otp value of a TOTP token. Includes, when and how long the given OTP was valid.
getotp: This action allows the administrator to run the get OTP workflow for tokens in the specified realm. Please be aware: you have to enter at least one valid administrator name in the field user - a * will not work and you must set a realm (* will work here).
show: This action is implicitly granted if the administrator has any admin policy that matches this user. It can be listed as the only action for administrators to only grant “readonly” access to some realm or at all.
unpair`: The administrator is allowed to use the api /admin/unpair to unpair tokens that support this feature (like qr tokens).