From ee149401ad8691da4cdbf73931ee3f6a37dc265d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cornelius=20K=C3=B6lbel?= Date: Thu, 22 Nov 2018 08:02:51 +0100 Subject: [PATCH 1/3] Fix broken reference --- doc/firststeps/login.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/firststeps/login.rst b/doc/firststeps/login.rst index d091a8fac1..58fadc27f2 100644 --- a/doc/firststeps/login.rst +++ b/doc/firststeps/login.rst @@ -29,8 +29,8 @@ The administrator just logs in with his username. .. note:: You can configure privacyIDEA to authenticate administrators against privacyIDEA itself, so that administrators - need to login with a second factor. See SUPERUSER_REALM in - :ref:`inifile_superusers` how to do this. + need to login with a second factor. See + :ref:`faq_admins` how to do this. Login for normal users From 320a0ecebf7e82d96ff98c4e205d78969dece83c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cornelius=20K=C3=B6lbel?= Date: Thu, 22 Nov 2018 08:05:40 +0100 Subject: [PATCH 2/3] Remove remnant policies scopes "ocra" and "system". --- doc/policies/ocra.rst | 43 -------------------------------- doc/policies/system.rst | 52 --------------------------------------- privacyidea/lib/policy.py | 3 +-- 3 files changed, 1 insertion(+), 97 deletions(-) delete mode 100644 doc/policies/ocra.rst delete mode 100644 doc/policies/system.rst diff --git a/doc/policies/ocra.rst b/doc/policies/ocra.rst deleted file mode 100644 index 2016d1b406..0000000000 --- a/doc/policies/ocra.rst +++ /dev/null @@ -1,43 +0,0 @@ -.. _ocra_policies: - -OCRA policies -------------- - -.. index:: OCRA policies - -The scope *ocra* defines who is allowed to access the OCRA -methods. It controlls the access to the :ref:`ocra_controller`. - -The following actions are available in the scope -*ocra*: - -request -~~~~~~~ - -type: bool - -The administrator is allowed to issue OCRA requests *ocra/request*. - - -status -~~~~~~ - -type: bool - -The administratpr is allowed to check the transaction status. - -activationcode -~~~~~~~~~~~~~~ - -type: bool - -The administrator is allowed to create an activation code via -*ocra/getActivationCode*. - -calcOTP -~~~~~~~ - -type: bool - -The administrator is allowed to calculate OTP values via -*ocra/calculateOTP*. diff --git a/doc/policies/system.rst b/doc/policies/system.rst deleted file mode 100644 index 690b898a64..0000000000 --- a/doc/policies/system.rst +++ /dev/null @@ -1,52 +0,0 @@ -.. _system_policies: - -System policies ---------------- - -.. index:: system policies - -System policies are used to regulate the configuration of the system. -This is defining useridresolvers and realms, setting token defaults -and defining system configuration. - -If no system policy is defined, each administrator is allowed -to do everything in the scope system. - -Technically system policies controll if the administrator is able -to write to the database table *Config* or if the administrator -can use of the :ref:`system_controller`. -System policies are checked using the method ``getAuthorization`` -of the :ref:`code_policy_class`. - -The ``user`` in the system policies refers to the administrator. - -.. note:: System policies do not make use of realms! - -.. warning:: Creating policies is an act of writing the - system configuration. So if you define admin policies - and do not define system policies, every administrator - can still change the policies! The recommended way is - to create your admin policies and then create the - system policies. - - -The following actions are available in the scope -*system*: - -read -~~~~ - -type: bool - -The administrator is allowed to read the system configuration. -A token administrator might not be allowed to read system -configuration to avoid letting him know which realms and -userresolvers exist. - -write -~~~~~ - -type: bool - -The administrator is allowed to write system configuration. - diff --git a/privacyidea/lib/policy.py b/privacyidea/lib/policy.py index 234af0d80e..2df3c9020b 100644 --- a/privacyidea/lib/policy.py +++ b/privacyidea/lib/policy.py @@ -869,8 +869,7 @@ def set_policy(name=None, scope=None, action=None, realm=None, resolver=None, If the policy with this name already exists, it updates the policy. It expects a dict of with the following keys: :param name: The name of the policy - :param scope: The scope of the policy. Something like "admin", "system", - "authentication" + :param scope: The scope of the policy. Something like "admin" or "authentication" :param action: A scope specific action or a comma separated list of actions :type active: basestring :param realm: A realm, for which this policy is valid From bf81556288473e05a205e044e09a86826f01bfc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cornelius=20K=C3=B6lbel?= Date: Thu, 22 Nov 2018 08:08:21 +0100 Subject: [PATCH 3/3] Fix broken passthru reference --- doc/policies/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/policies/index.rst b/doc/policies/index.rst index 4729f92373..192adc08bb 100644 --- a/doc/policies/index.rst +++ b/doc/policies/index.rst @@ -141,7 +141,7 @@ Each policy can contain the following attributes: The priority field of policies contains a positive number and defaults to 1. In case of policy conflicts, policies with a lower priority number take precedence. - It can be used to resolve policy conflicts. An example is the :ref:`passthru-policy`: + It can be used to resolve policy conflicts. An example is the :ref:`passthru_policy`: Assume there are two passthru policies ``pol1`` and ``pol2`` that define different action values, e.g. ``pol1`` defines ``passthru=userstore`` and ``pol2`` defines ``passthru=radius1``.