16.3. So what’s the thing with all the admins?

privacyIDEA comes with its own admins, who are stored in a database table Admin in its own database (The database model). You can use the tool pi-manage to manage those admins from the command line as the system’s root user. (see Installation)

These admin users can logon to the WebUI using the admin’s user name and the specified password. These admins are used to get a simple quick start.

Then you can define realms (see Realms), that should be administrative realms. I.e. each user in this realm will have administrative rights in the WebUI.

Note

You need to configure these realms within privacyIDEA. Only after these realms exist, you can raise their rights to an administrative role.

Note

Use this carefully. Imagine you defined a resolver to a specific group in your Active Directory to be the pricacyIDEA admins. Then the Active Directory domain admins can simply add users to be administrator in privacyIDEA.

You define the administrative realms in the config file pi.cfg, which is usually located at /etc/privacyidea/pi.cfg:

SUPERUSER_REALM = ["adminrealm1", "super", "boss"]

In this case all the users in the realms “adminrealm1”, “super” and “boss” will have administrative rights in the WebUI, when they login with this realm.

As for all other users, you can use the login_mode to define, if these administrators should login to the WebUI with their userstore password or with an OTP token.