How can I securely manage users who have permission to create policies

if I have an Approle and I have the following permissions:

path "sys/policies/acl/*" {
  capabilities = ["update"]
}

How do I avoid this approle to create permissions for any path?

This is a hard problem.

Vault Enterprise seeks to solve this with namespaces, which constrain policies created within a namespace to only permission paths within the namespace. (Although namespaces do more than that, too.)

Vault Open Source does not supply an answer to this problem, and assumes that either you will only grant policy edit permissions to ultimately trusted users who can do anything at all, or that you will build your own separate tooling to enforce constraints on policy updates. (Meaning that tooling is the only thing allowed to change policies, and users will talk to it instead of Vault itself to make policy updates.)

hanks for help, Is there a tool for direct authorization? Or do I need myself development of it

There is no standard tool for that - each organisation needs to write something according to their particular requirements

thank you very much!

I want to apply below policy to the Cipher AD. Can anyone suggest here commands to apply password restriction policy :-1:

length = 14
rule “charset” {
charset = “abcdefghijklmnopqrstuvwxyz”
min-chars = 1
}
rule “charset” {
charset = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”
min-chars = 1
}
rule “charset” {
charset = “0123456789”
min-chars = 1
}
rule “charset” {
charset = “#$_@”
min-chars = 1
}

This is unrelated to the preceding discussion. You should start a separate topic.