7.2. User Policies

In the Web UI users can manage their own tokens. User can login to the Web UI with the username of their useridresolver. I.e. if a user is found in an LDAP resolver pointing to Active Directory the user needs to login with his domain password.

User policies are used to define, which actions users are allowed to perform.

The user policies also respect the client input, where you can enter a list of IP addresses and subnets (like 10.2.0.0/16).

Using the client parameter you can allow different actions in if the user either logs in from the internal network or remotely from the internet via the firewall.

Technically user policies control the use of the REST API Token endpoints and are checked using Policy Module and Policy Decorators.

Note

If no user policy is defined, the user has all actions available to him, to manage his tokens.

The following actions are available in the scope user:

7.2.1. enroll

type: bool

There are enrollment actions per token type, e.g. enrollHOTP. The user is only allowed to enroll such specified token types.

7.2.2. assign

type: bool

The user is allowed to assign an existing token, that is located in his realm and that does not belong to any other user, by entering the serial number.

7.2.3. disable

type: bool

The user is allowed to disable his own tokens. Disabled tokens can not be used to authenticate.

7.2.4. enable

type: bool

The user is allowed to enable his own tokens.

7.2.5. delete

type: bool

The user is allowed to delete his own tokens from the database. Those tokens can not be recovered. Anyway, the audit log concerning these tokens remains.

7.2.6. unassign

type: bool

The user is allowed to drop his ownership of the token. The token does not belong to any user anymore and can be reassigned.

7.2.7. resync

type: bool

The user is allowed to resynchronize the token if it has got out of synchronization.

7.2.8. reset

type: bool

The user is allowed to reset the failcounter of the token.

7.2.9. setpin

type: bool

The user is allowed to set the OTP PIN for his tokens.

7.2.10. setrandompin

type: bool

If the setrandompin action is defined, the user is allowed to call the endpoint, that sets a random PIN on his specified token.

7.2.11. setdescription

type: bool

The user is allowed to set the description of his tokens.

7.2.12. enrollpin

type: bool

If the action enrollpin is defined, the user can set a token PIN during enrollment. If the action is not defined and the user tries to set a PIN during enrollment, this PIN is deleted from the request.

7.2.13. hide_tokeninfo

type: string

This specifies a blank-separated list of tokeninfo keys, which should be removed from the response and therefore will not be shown in the WebUI or JSON response.

For example a value tokenkind auto_renew will hide these two tokeninfo entries.

7.2.14. otp_pin_maxlength

type: integer

range: 0 - 31

This is the maximum allowed PIN length the user is allowed to use when setting the OTP PIN.

Note

There can be token type specific policies like spass_otp_pin_maxlength, spass_otp_pin_minlength and spass_otp_pin_contents. If suche a token specific policy exists, it takes priority of the common PIN policy.

7.2.15. otp_pin_minlength

type: integer

range: 0 - 31

This is the minimum required PIN the user must use when setting the OTP PIN.

7.2.16. otp_pin_contents

type: string

contents: cns

This defines what characters an OTP PIN should contain when the user sets it.

This takes the same values like the admin policy otp_pin_contents.

7.2.17. otp_pin_set_random

type: int

The length of a random PIN set by the user.

7.2.18. auditlog

type: bool

This action allows the user to view and search the audit log for actions with his own tokens.

To learn more about the audit log, see Audit.

7.2.19. auditlog_age

type: string

This limits the maximum age of displayed audit entries. Older entries are not remove from the audit table but the user is simply not allowed to view older entries.

Can be something like 10m (10 minutes), 10h (10 hours) or 10d (ten days).

7.2.20. hide_audit_columns

type: string

This species a blank separated list of audit columns, that should be removed from the response (Audit endpoint) and also from the WebUI. For example a value sig_check log_level will hide these two columns.

The list of available columns can be checked by examining the response of the request to the Audit endpoint.

7.2.21. updateuser

type: bool

If the updateuser action is defined, the user is allowed to change his attributes in the user store.

Note

To be able to edit the attributes, the resolver must be defined as editable.

7.2.22. userlist

type: bool

If the userlist action is defined, the user is allowed to view his own user information.

7.2.23. revoke

type: bool

Tokens can be revoked. Usually this means the token is disabled and locked. A locked token can not be modified anymore. It can only be deleted.

Certain token types like certificate may define special actions when revoking a token.

7.2.24. password_reset

type: bool

Introduced in version 2.10.

If the user is located in an editable user store, this policy can define, if the user is allowed to perform a password reset. During the password reset an email with a link to reset the password is sent to the user.

7.2.25. hotp_2step and totp_2step

type: string

This allows or forces the user to enroll a smartphone based token in two steps. In the second step the smartphone generates a part of the OTP secret, which the user needs to enter. (see Two Step Enrollment). Possible values are allow and force. This works in conjunction with the enrollment parameters 2step_clientsize, 2step_serversize, 2step_difficulty.

Such a policy can also be set for the administrator. See hotp_2step and totp_2step.

Note

This does not work in combination with the enrollment policy verify_enrollment, since the usage of 2step already ensures, that the user has successfully scanned the QR code.

7.2.26. sms_gateways

type: string

Usually an SMS token sends the SMS via the SMS gateway that is defined system wide in the token settings. This policy takes a blank separated list of configured SMS gateways. It allows the user to define an individual SMS gateway during token enrollment.

New in version 3.0.

7.2.27. hotp_hashlib and totp_hashlib

type: string

Force the user to enroll HOTP/TOTP Tokens with the specified hashlib. The corresponding input selector will be disabled/hidden in the web UI. Possible values are sha1, sha256 and sha512, default is sha1.

7.2.28. hotp_otplen and totp_otplen

type: int

Force the user to enroll HOTP/TOTP Tokens with the specified otp length. The corresponding input selector will be disabled/hidden in the web UI. Possible values are 6 or 8, default is 6.

7.2.29. hotp_force_server_generate and totp_force_server_generate

type: bool

Enforce the key generation on the server. A corresponding input field for the key data will be disabled/hidden in the web UI. Default value is false.

7.2.30. totp_timestep

type: int

Enforce the timestep of the time-based OTP token. A corresponding input selection will be disabled/hidden in the web UI. Possible values are 30 or 60, default is 30.

7.2.31. indexedsecret_force_attribute

type: string

If a user enrolls an indexedsecret token then the value of the given user attribute is set as the secret. The user does not see the value and can not change the value.

For more details of this token type see Indexed Secret Token.

New in version 3.3.

7.2.32. certificate_trusted_Attestation_CA_path

type: string

A user can enroll a certificate token. If an attestation certificate is provided in addition, this policy holds the path to a directory, that contains trusted CA paths. Each PEM encoded file in this directory needs to contain the root CA certificate at the first position and the consecutive intermediate certificates.

An additional enrollment policy certificate_require_attestation, if an attestation certificate is required.

New in version 3.5.

7.2.33. set_custom_user_attributes

type: string

This defines how a user is allowed to set his own attributes. It uses the same setting as the admin policy set_custom_user_attributes.

Note

Using a ‘*’ in this setting allows the user to set any attribute or any value and thus the user can overwrite existing attributes from the user store. If policies, depending on user attributes are defined, then the user would be able to change the matching of the policies. Use with CAUTION!

New in version 3.6

7.2.34. delete_custom_user_attributes

type: string

This defines how a user is allowed to delete his own attributes. It uses the same setting as the admin policy delete_custom_user_attributes.

Note

Using a ‘*’ in this setting allows the user to delete any attribute and thus the user can change overwritten attributes and revert to the user store attributes. If policies, depending on user attributes are defined, then the user would be able to change the matching of the policies. Use with CAUTION!

New in version 3.6