Restriction to give...
 
Notifications
Clear all

Restriction to give full access in a new policy

3 Posts
2 Users
0 Likes
228 Views
0
Topic starter

Hello All,

I have delegated someone to manage the policies, but wanted to restrict this person from using the below path while creating another policy for other person.

path “*” {
capabilities = [“read”, “create”,“list”,"update ",“delete”,“sudo”] }

is there way to restrict it with the policy itself?

Thank you

2 Answers
0

Hi @aamirfazal96, sorry I don’t quite understand, could you please elaborate more?

Amir Topic starter 22/05/2023 9:50 pm

@sam-gabrailtekanaid-com

Hey Sam,
Ok, let me frame it in a different way.
I have given an admin policy to an application owner to manage his own namespace.
Now, the owner can enable any secret engines, auth method and sub-namespaces and, can create new policies. Suppose if he create a full access paths with all the capabilities policy that is path “*” { capabilities = [“read”, “create”, “list”, “delete”, “update”,“sudo”]} and assign it to one of his team members. Now this team member gets full access to the vault (within that namespace).

I wanted to restrict the owner creating the full access policy as stated above.

0

Hey @aamirfazal96 , sorry for the late reply, somehow just got a notification this morning only.

You probably need to put a deny statement. Here is an example from the docs:

# This section grants all access on "secret/*". Further restrictions can be
# applied to this broad policy, as shown below.
path "secret/*" {
  capabilities = ["create", "read", "update", "patch", "delete", "list"]
}
# Even though we allowed secret/*, this line explicitly denies
# secret/super-secret. This takes precedence.
path "secret/super-secret" {
  capabilities = ["deny"]
}

In your case, you probably would use a deny for the specific path based on what you want to restrict. Check the API docs for that. The policy will match the longer path. So just as the example above: secret/super-secret is more specific and longer than secret/* so it takes precedence.

Share:
Scroll to Top