Skip to content

Grouper Structure for Namespace Management#

All groups are under Root/app/HCP Vaults in Grouper.

If all individuals within a CESI unit share the same secrets, they will be provisioned with a single Default CESI Namespace. If a CESI unit functions with multiple subteams needing isolated secrets storage, they will be provisioned with a default shared namespace for their entire CESI unit, along with Subteam Namespaces.

Warning

Do not place an individual in both the admin and general groups for a namespace as this will result in conflicting Vault permissions.

Default CESI Namespace#

This structure represents the groups associated with a CESI unit without any subteams that is provisioned with a single namespace in Vault.

Text Only
app
└── HCP Vaults
    ├── ref
    │   └── [Unit Short ID]
    │       ├── adhoc_[unit]_admins
    │       └── adhoc_[unit]_users
    └── security
        └── [Unit Short ID]
            ├── [unit]_deny
            └── [unit]_updaters
  • Managers/Updaters [unit]_updaters - These individuals have access to manage the CESI unit in grouper, without any direct vault access.
  • Admin Users adhoc_[unit]_admins - These individuals have admin level access to the namespace in Vault.
  • General Users adhoc_[unit]_users - These individuals have general level access to the namespace in Vault.

Subteam Namespaces#

This structure represents the groups associated with a CESI unit needing a subteam with unique human access requirements via a subteam Vault namespace. These units will be provisioned with a shared namespace at the unit level, along with additional subteam namespaces.

Info

Certain subteam names are not available due to Vault's structure including auth, cubyhole, identity, secret, sys. CESI units will also not be able to create an secret mounts in their unit namespaces with the same name as their subteam.

Text Only
app
└── HCP Vaults
    ├── ref
    │   └── [Unit Short ID]
    │       ├── adhoc_[unit]_admins
    │       |── adhoc_[unit]_users
    |       └── [subteam]
    │           ├── ad_hoc_[subteam]_admins
    │           └── ad_hoc_[subteam]_users
    └── security
        └── [Unit Short ID]
            ├── [unit]_deny
            |── [unit]_updaters
            └── [subteam]
                ├── [subteam]_deny
                └── [subteam]_updaters
  • Managers/Updaters - unit [unit]_updaters - These individuals have access to manage the CESI unit in grouper, without any direct vault access.
  • Managers/Updaters - subteam [subteam]_updaters - These individuals have access to manage the subteam unit in grouper, without any direct vault access.
  • Admin Users - unit adhoc_[unit]_admins - These individuals have admin level access to the shared unit namespace in Vault.
  • Admin Users - subteam adhoc_[subteam]_admins - These individuals have admin level access to the subteam namespace in Vault.
  • General Users - unit adhoc_[unit]_users - These individuals have general level access to the shared unit namespace in Vault.
  • General Users - subteam adhoc_[subteam]_users - These individuals have general level access to the subteam namespace in Vault.

Info

In order to access subteam namespaces, individuals will either need a general or admin role within the parent CESI unit namespace. The permissions in the unit and subteam namespaces to don't need to match and there are no inherited permissions from unit to subteam.

Vault User Permissions#

Refer to the Vault Permissions page for more information on what policies are assigned to each user group.

Screenshot

Vault Owners#

  • Internal group for the secrets management team that is inserted into every namespace to provide visibility for administrative purposes
    • Secrets and other sensitive information will not be accessible to Vault owners with the exception of the central_admin_escalation_access policy
  • Administrative permissions to manage leases and delete tokens
  • Ability to escalate to an escalated policy in scenarios where higher level administrative privileges are required

Admin Users#

  • Broad access to all vault operations within a namesapce excluding at the sys/* mount path.
  • Specific access to limited number of paths within the sys/* mount path.
  • Ability to create and configure new auth methods (excluding human auth) and secrets engines (excluding ad, ldap, and additional kv-v2 engines).

General Users#

  • Limited read/list vault operations within a namespace excluding the sys/* and auth* mount paths
  • Specific read/list access to limited number of paths within the sys/* & auth/* mount paths.
  • CRUD access to manage secrets at the default kv-v2 secrets engine mounted at secret/*.