I can’t release changing passwords for local users individually. Even with the policy created, it does not respect password changes only for the logged in user, having to grant access to all users so that they can change their password, which is a security breach.
Follows established policy.
# List auth methods
path "sys/auth"
{
capabilities = ["list", "read"]
}
# Manage auth methods broadly across Vault
path "auth/*"
{
capabilities = ["list", "read","write"]
}
# Change individually password
path "auth/userpass/users/{{identity.entity.aliases.auth_userpass_6e9f2226.name}}" {
capabilities = ["list", "read", "update"]
allowed_parameters = {
"password" = []
}
}
if I do not put the “write” option in the path “auth/*” the user receives a message of access denied, however if I put the “write” it releases the user to change all the created logins.