Vault Permissions#
Vault Policy Overview#
The tables below shocase access for each user group within Vault.
Admin Access Control Table#
| Permission | CESI General Users | CESI Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
* |
 RL |
CRUDLSP |
 |
* |
Overall access to namespaces auth & secrets engines |
sys/* |
DENY |
DENY |
Deny broad access to sys path | ||
auth/* |
DENY |
Deny broad access to auth path | |||
sys/namespaces/* |
|
|
RL |
* |
View namespaces |
auth/token/* |
|
|
RUDL |
* |
Manage tokens |
auth/token/revoke |
|
|
CU |
* |
Revoke tokens |
sys/leases/* |
RL |
CRUDLS |
CRUDL |
* |
Manage leases |
sys/health |
|
|
RS |
* |
View vault health |
identity/* |
RL |
RDL |
RL |
* |
View vault identities & groups |
identity/entity/* |
RDL |
* |
View and delete entities | ||
identity/group/* |
RUL |
* |
View and update vault groups | ||
sys/sync/* |
|
CRUD |
|
* |
Manage Secrets Sync |
1 Central Admin permissions apply to all namespaces.
Auth Access Control Table#
| Permission | CESI General Users | CESI Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
sys/auth |
R |
R |
R |
* |
List auth methods |
sys/auth/* |
R |
CRUDS |
|
* |
Manage auth methods2 |
auth/+/role |
L |
L |
* |
List auth roles | |
auth/+/role/* |
R |
R |
* |
Manage auth roles | |
auth/+/config/* |
R |
R |
* |
Manage auth configs |
1 Central Admin permissions apply to all namespaces.
2All auth methods excluding human auth methods: ldap, github, saml, userpass & okta.
Policy Access Control Table#
| Permission | CESI General Users | CESI Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
sys/policies/acl |
L |
L |
L |
* |
List policies |
sys/policies/acl/* |
R |
CRUDLS |
R |
* |
Manage policies2 |
sys/policies/acl/central_admin_escalation_access |
|
|
UR3 |
* |
Elevate privileges |
1 Central Admin permissions apply to all namespaces.
2 CESI Admin Users are blocked from editing central_admin_access, central_admin_escalation_access, CESI_admin_access & CESI_user_access policies.
3 Central Admin Users can add whatever policies to this ACL that are needed to elevate privileges.
Secrets Mounts Access Control Table#
| Permission | CESI General Users | CESI Admin Users | Central Admin Users1 | Central Admin Users Escalation1 | Description |
|---|---|---|---|---|---|
sys/mounts |
R |
R |
R |
* |
List secrets engines |
sys/mounts/* |
RL |
CRUDLS |
|
* |
Manage secrets engines 2 |
sys/mounts/secret |
RUL |
|
* |
Prevent deletion of secrets mount | |
secret/* |
CRUDLP |
|
* |
CRUDL Secrets 3 |
1 Central Admin permissions apply to all namespaces.
2 All secrets engines excluding AD & LDAP.
3 General users have CRUDL access only to the pre-created kv-v2 engine mounted at secret/*. Administrative users have wide access to all secrets engines through the * permission in the Admin Access Control Table
Permission Types#
- C - Create
- R - Read
- U - Update
- D - Delete
- L - List
- S - Sudo
- P - Patch
Policy Priority Matching#
For two policies (P1 & P2) that both apply to a certain path, the following conditions are evaluated to determine which policy has a higher priority and is thus applied. Once a condition is matched, that condition is applied and the rest are not evaluated.
- If the first wildcard (+) or glob (*) occurs earlier in
P1,P1is lower priority - If
P1ends in * andP2doesn't,P1is lower priority - If
P1has more + (wildcard) segments,P1is lower priority - If
P1is shorter, it is lower priority - If
P1is smaller lexicographically, it is lower priority
See HashiCorp Developer Documentation for more info.