Group policies and JWT Login

I’m trying to write a policy that will allow group members who login using jwt’s to edit their public group data.

this is what I have

path "public-group/data/{{identity.groups.ids.<<GROUP ID>>.name}}/*" {
 	capabilities = [ "create", "update", "read", "delete", "list" ]
 }

do I have to create one of these policies for every single group that is created? it seems like I do.

Im trying to figure out how to associate these with the jwt login without having to also create a custom role for for every group and every combination of user in different groups.

is there by chance a way to add policies at login, or dynamically?

Ideally I would prefer something like this, which could check if the entity is the member of the group

path "public-group/data/{{identity.entity.groups.id}}/*" {
 	capabilities = [ "create", "update", "read", "delete", "list" ]
 }

Hello,

I’m really not sure what is your exact use case, but you might make use of identity.entity.metadata.<<metadata key>> as policy templating, and set metadata attributes to the entity by mapping JWT claims to metadata in the entity,here is some more info on how to map JWT claims to entity metadata.

Please, take this as a suggestion, not a complete solution.

@martinhristov90 that is a really good suggestion, thank you. Im not sure it will solve the problem though. It seems like that would be 1:1 relationship; I’m trying to implement a single policy that allows a 1:n relationship.

The goal is to have 1 policy that will look at the groups an entity belongs to and only allow access to secrets associated with those groups. whether by name or id.

I can do it rather easy if I create a policy for each group however I’m trying to avoid that because if we have 1000’s of entities that means we will have 1000’s of policies and I’ve just discovered that I will also have to create roles for each user too in order to map the different policies to the users which will be a nightmare to manage.

1 Like