Hi,
I’m facing an issue on my policies. I’m using the ldap auth backend and have a policy for each user and each group.
Most of the policies allow access to a certain path in a kv and restrict to “create” rights for a “prod” subpath but one of them grants all rights on the kv.
My policies look like this :
- team policy :
path "kv/team-a/+/preprod/*" {
capabilities = ["read", "create", "update"]
}
path "kv/team-a/+/prod/*" {
capabilities = ["create"]
}
- Admin policy :
path "kv/*" {
capabilities = ["create", "read", "delete", "update"]
}
Issue is that some users may be part of a team and also be admin; therefore; they cannot read secrets in production for their team because the team policy precedes.
Do you have any tips on how to define my policies to avoid this conflict ?
Best regards,
Clément