16.3. So what’s the thing with all the admins?¶
privacyIDEA comes with its own admins, who are stored in a database table
Admin in its own database (The database model). You can use the tool
manage those admins from the command line as the system’s root user. (see
These admin users can logon to the WebUI using the admin’s user name and the specified password. These admins are used to get a simple quick start.
Then you can define realms (see Realms), that should be administrative realms. I.e. each user in this realm will have administrative rights in the WebUI.
You need to configure these realms within privacyIDEA. Only after these realms exist, you can raise their rights to an administrative role.
Use this carefully. Imagine you defined a resolver to a specific group in your Active Directory to be the pricacyIDEA admins. Then the Active Directory domain admins can simply add users to be administrator in privacyIDEA.
You define the administrative realms in the config file
pi.cfg, which is
usually located at
SUPERUSER_REALM = ["adminrealm1", "super", "boss"]
In this case all the users in the realms “adminrealm1”, “super” and “boss” will have administrative rights in the WebUI, when they login with this realm.
As for all other users, you can use the login_mode to define, if these administrators should login to the WebUI with their userstore password or with an OTP token.