Policy conflicts

Hi,

I’m facing an issue on my policies. I’m using the ldap auth backend and have a policy for each user and each group.

Most of the policies allow access to a certain path in a kv and restrict to “create” rights for a “prod” subpath but one of them grants all rights on the kv.

My policies look like this :

  • team policy :
path "kv/team-a/+/preprod/*" {
  capabilities = ["read", "create", "update"]
}

path "kv/team-a/+/prod/*" {
  capabilities = ["create"]
}
  • Admin policy :
path "kv/*" {
  capabilities = ["create", "read", "delete", "update"]
}

Issue is that some users may be part of a team and also be admin; therefore; they cannot read secrets in production for their team because the team policy precedes.

Do you have any tips on how to define my policies to avoid this conflict ?

Best regards,
Clément

1 Like