I am running into an issue when trying to manage policy updates for userpass users. The scenario is described, in details, in links below, but the high level intent is as follows:
- Admin needs to be able to update policies attached to users
- Admin can only grant specific policies
In order to satisfy item 2, the admin has following policy:
Now the issue that I am running into is that the admin seems to be able to assign a policy not allowed by prefixing it with an allowed policy. Is this because of '*" pattern match in admin policy in link above?
Pl. see sample steps to repro the issue in link below:
I would like to get some recommendations on best practices on managing policy updates on users and/or how to fix this issue.
Using vault 1.3.3