I have a multi-tenancy project, each tenant can have multiple users and a several admins. now admins can set system credentials and users can have their own personal credentials. (in our own Hashicorp/vault service)
We also allow our tenants to define their own Hashicorp/vault and give us some access (still not sure of the best approach).
Now I was thinking of restricting access for each tenant to our own vault. but I don’t know if I should define different policies or users or groups or what! as I said tenants can define their own vault as well, So I need to make it to work with out private vault and tenant vaults.
What would be the best design for this?