I would like for users in a group to be able to manage the users of that group. so far i have:
path "secret/data/fpd/*"
{
capabilities = ["create", "read", "update", "delete", "list"]
}
# allow to modify group fpd-admin
path "identity/group/*"
{
capabilities = ["read", "list"]
}
path "identity/group/id/{{identity.groups.names.fpd-admin.id}}" {
capabilities = [ "update", "read" ]
}
# allow browsing of entities
path "identity/entity"
{
capabilities = [ "list" ]
}
path "identity/entity/id"
{
capabilities = [ "list" ]
}
path "identity/entity/id/*"
{
capabilities = [ "read" ]
}
whilst it seems to work - this policy is added to the Group fpd-admin
and allows entities/users of that group to list and add and remove users from the fpd-admin
group… it also allows those users to add and change the policies associated with that group - ie they can just add another policy (say vault-admin
to fpd-admin
and have more power than they should.
is there a deny endpoint i add to prevent changes to the policies associated with this group?