what we really need is an “allowed_paths” option in a policy : so admin could create a policy giving permission to create new policies, but only ones that have a certain path
path "sys/policies/acl/*" {
capabilities = [“create”,“delete”,“read”,“update”]
allowed_paths = ["/secrets/users/{{ identity.entity.name }}"/*}
}
so anyone with this policy can create new policies but only with paths starting with (for example) /secrets/users/kate