Allowing user to modify group memberships

yee379 · November 17, 2021, 3:25am

I would like for users in a group to be able to manage the users of that group. so far i have:

path "secret/data/fpd/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}

# allow to modify group fpd-admin
path "identity/group/*"
{
  capabilities = ["read", "list"]
}
path "identity/group/id/{{identity.groups.names.fpd-admin.id}}" {
 capabilities = [ "update", "read" ]
}

# allow browsing of entities
path "identity/entity"
{
  capabilities = [ "list" ]
}
path "identity/entity/id"
{
  capabilities = [ "list" ]
}
path "identity/entity/id/*"
{
  capabilities = [ "read" ]
}

whilst it seems to work - this policy is added to the Group fpd-admin and allows entities/users of that group to list and add and remove users from the fpd-admin group… it also allows those users to add and change the policies associated with that group - ie they can just add another policy (say vault-admin to fpd-admin and have more power than they should.

is there a deny endpoint i add to prevent changes to the policies associated with this group?

aram · November 17, 2021, 10:29am

No, you either have update access to a group (parameters and members) or you don’t. There is no finer control.

Topic		Replies	Views
Policy to user to manage particular group Vault	1	278	May 25, 2021
Allow user to update/delete certain policies(Hashicorp Vault) Vault vault	0	371	August 17, 2021
Group policies and JWT Login Vault	2	673	July 2, 2020
How can I securely manage users who have permission to create policies Vault vault	6	340	May 17, 2022
Vault admin policy Vault	3	4078	May 21, 2022

Allowing user to modify group memberships

Related topics