Vault Permissions#
Vault Policy Overview#
The tables below showcase access for each user group within Vault. Namespace General & Admin Users are controlled per namespace via grouper whereas Central Admin Users represents the Secrets Management Team.
Access Control Table Guide#
- Policy explicitly allowing this path
- Policy explicitly denying this path
- Inherited allow
- Inherited or default deny
Admin Access Control Table#
| Permission | Namespace General Users | Namespace Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
* |
RL |
CRUDLSP |
|
* |
Overall access to namespaces auth & secrets engines |
sys/* |
|
|
|
* |
Broad access to sys path |
auth/* |
|
CRUDLSP |
|
* |
Broad access to auth path |
sys/namespaces/* |
|
|
RL |
* |
View namespaces |
auth/token/* |
|
CRUDLSP |
RUDL |
* |
Manage tokens |
auth/token/revoke |
|
CRUDLSP |
CU |
* |
Revoke tokens |
sys/leases/* |
RL |
CRUDLS |
CRUDL |
* |
Manage leases |
sys/health |
|
|
RS |
* |
View vault health |
identity/* |
RL |
RL |
RL |
* |
View vault identities & groups |
identity/entity/* |
RL |
RDL |
RL |
* |
View and delete entities |
identity/group/* |
RL |
RUL |
RL |
* |
View and update vault groups |
sys/internal/counters/activity |
|
R |
|
* |
View client count |
sys/license/status |
|
R |
|
* |
View client count on dashboard |
1 Central Admin permissions apply to all namespaces.
Auth Access Control Table#
| Permission | Namespace General Users | Namespace Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
sys/auth |
R |
R |
R |
* |
List auth methods |
sys/auth/* |
R |
CRUDS |
|
* |
Manage auth methods2 |
auth/+/role |
L |
CRUDLSP |
L |
* |
List auth roles |
auth/+/role/* |
R |
CRUDLSP |
R |
* |
Manage auth roles |
auth/+/config |
R |
CRUDLSP |
R |
* |
Manage auth configs |
1 Central Admin permissions apply to all namespaces.
2All auth methods excluding human auth methods: ldap, github, saml, userpass & okta.
Policy Access Control Table#
| Permission | Namespace General Users | Namespace Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
sys/policies/acl |
L |
L |
L |
* |
List policies |
sys/policies/acl/* |
R |
CRUDLS |
R |
* |
Manage policies2 |
1 Central Admin permissions apply to all namespaces.
2 Namespace Admin Users are blocked from editing central_admin_access, central_admin_escalation_access, CESI_admin_access & CESI_user_access policies.
Secrets Mounts Access Control Table#
| Permission | Namespace General Users | Namespace Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
sys/mounts |
R |
R |
R |
* |
List secrets engines |
sys/mounts/* |
RL |
CRUDLS |
|
* |
Manage secrets engines 2 |
sys/mounts/secret |
RL |
RUL |
|
* |
Prevent deletion of secrets mount |
secret/* |
CRUDLP |
CRUDLSP |
|
* |
CRUDL Secrets 3 |
1 Central Admin permissions apply to all namespaces.
2 All secrets engines excluding AD & LDAP.
3 General users have CRUDL access only to the pre-created kv-v2 engine mounted at secret/*. Administrative users have wide access to all secrets engines through the * permission in the Admin Access Control Table
Permission Types#
- C - Create
- R - Read
- U - Update
- D - Delete
- L - List
- S - Sudo
- P - Patch
Policy Priority Matching#
For two policies (P1 & P2) that both apply to a certain path, the following conditions are evaluated to determine which policy has a higher priority and is thus applied. Once a condition is matched, that condition is applied and the rest are not evaluated.
- If the first wildcard (+) or glob (*) occurs earlier in
P1,P1is lower priority - If
P1ends in * andP2doesn't,P1is lower priority - If
P1has more + (wildcard) segments,P1is lower priority - If
P1is shorter, it is lower priority - If
P1is smaller lexicographically, it is lower priority
See HashiCorp Developer Documentation for more info.