diff --git a/sso-mfa/k8s/privacyidea/bootstrap-admin.sh b/sso-mfa/k8s/privacyidea/bootstrap-admin.sh
index 12867ef..cd03247 100755
--- a/sso-mfa/k8s/privacyidea/bootstrap-admin.sh
+++ b/sso-mfa/k8s/privacyidea/bootstrap-admin.sh
@@ -86,7 +86,23 @@ kubectl create secret generic privacyidea-trigger-admin \
 
 echo "  Done."
 
-# ── 5. Create trigger-admin policy via REST API ───────────────────────────────
+# ── 5. Create pi-admin-all-rights policy via pi-manage ───────────────────────
+# Once ANY admin policy exists, privacyIDEA enforces it for all admins.
+# The trigger-admin-rights policy (step 6) restricts trigger-admin to
+# triggerchallenge only — but that restriction also locks out pi-admin from
+# the REST API unless pi-admin has its own explicit policy granting full rights.
+# This policy must be created via pi-manage (in-pod) because there is no REST
+# access before it exists.
+echo ""
+echo "Creating pi-admin-all-rights policy via pi-manage ..."
+if kubectl exec -n "$NAMESPACE" "$PI_POD" -- \
+    pi-manage config policy create pi-admin-all-rights admin "*" 2>&1 | grep -qi "already exist\|exists"; then
+    echo "  pi-admin-all-rights already exists — skipping."
+else
+    echo "  pi-admin-all-rights created."
+fi
+
+# ── 6. Create trigger-admin policy via REST API ───────────────────────────────
 # This restricts trigger-admin to the triggerchallenge action only.
 # Requires pink.coulomb.social to be reachable.
 echo ""
@@ -132,7 +148,7 @@ else
     fi
 fi
 
-# ── 6. Summary ────────────────────────────────────────────────────────────────
+# ── 7. Summary ────────────────────────────────────────────────────────────────
 echo ""
 echo "════════════════════════════════════════════════════════════"
 echo "  Admin bootstrap complete."