Token policies and identity policies

I recently try to get more used with tokens generator and policies.
I tried to make token for a user that are more restrive than the right he might have, for automation for exemple.
From what i can get as result it seems that if the identity from whom you are going to make a token have more rights than these who are defined by the token policy then you can get more accès by the token thanks to the identity policies, except if you are going to create orphan token.
Does it seems right for you ?
For my part i want to create a token with less rights than those of my current user but whithin my capabilities and as a child token, to take it in my current token death.
Every time i tried my child token seems to get the same capabilities that it’s parents via my identity policy. Am i doing it the wrong way or is it not the right way to doing it ?


The point of identity policies is to attach permissions to an identity regardless of which specific token. In other words, permissions in identity policies should be the base set of permissions you always want that user to have. Then individual token policies can supplement.

You could restrict permissions granted via identity policies with explicit “deny” capabilities on paths, but the better approach is simply to not assign permissions to identities if you don’t want them to always have those permissions.