Vault Permissions#
Vault Policy Overview#
The tables below showcase access for each user group within Vault. Namespace Users & Admins are controlled per namespace via grouper.
Access Control Table Guide#
- Policy explicitly allowing this path
- Policy explicitly denying this path
- Inherited allow
- Inherited or default deny
Admin Access Control Table#
| Permission | Namespace Users | Namespace Admins | Secrets Management Team1 | Description |
|---|---|---|---|---|
* |
RL |
CRUDLSP |
|
Overall access to namespaces auth & secrets engines |
sys/* |
|
|
|
Broad access to sys path |
auth/* |
|
CRUDLSP |
|
Broad access to auth path |
sys/namespaces/* |
|
|
RL |
View namespaces |
auth/token/* |
|
CRUDLSP |
RUDL |
Manage tokens |
auth/token/revoke |
|
CRUDLSP |
CU |
Revoke tokens |
sys/leases/* |
RL |
CRUDLS |
CRUDL |
Manage leases |
sys/health |
|
|
RS |
View vault health |
identity/* |
RL |
RL |
RL |
View vault identities & groups |
identity/entity/* |
RL |
RDL |
RL |
View and delete entities |
identity/group |
RL |
CRUDL |
RL |
View and create vault groups |
identity/group/* |
RL |
CRUDL |
RL |
Manage vault groups |
identity/group/name/{CESI}_admin_users_internal |
R |
R |
R |
View internal admin group |
identity/group/name/{CESI}_general_users_internal |
R |
R |
R |
View internal general group |
identity/group/id/{CESI_admin_users_ID} |
R |
R |
R |
View internal admin group via ID |
identity/group/id/{CESI_general_users_ID} |
R |
R |
R |
View internal general group via ID |
sys/internal/counters/activity |
|
R |
|
View client count |
sys/license/status |
|
R |
|
View client count on dashboard |
1 The Secrets Management Team also maintains break glass access to all operations in Vault.
Auth Access Control Table#
| Permission | Namespace Users | Namespace Admins | Secrets Management Team | Description |
|---|---|---|---|---|
sys/auth |
R |
R |
R |
List auth methods |
sys/auth/* |
R |
CRUDS |
|
Manage auth methods1 |
auth/+/role |
L |
CRUDLSP |
L |
List auth roles |
auth/+/role/* |
R |
CRUDLSP |
R |
Manage auth roles |
auth/+/config |
R |
CRUDLSP |
R |
Manage auth configs |
1All auth methods excluding human auth methods: ldap, github, saml, userpass, okta & radius. Also excludes approle as a single approle mount is pre created for each namespace at the approle/ path.
Policy Access Control Table#
| Permission | Namespace Users | Namespace Admins | Secrets Management Team | Description |
|---|---|---|---|---|
sys/policies/acl |
L |
L |
L |
List policies |
sys/policies/acl/* |
R |
CRUDLS |
R |
Manage policies1 |
1 Namespace Admins are blocked from editing centrally maintained user access policies.
Secrets Mounts Access Control Table#
| Permission | Namespace Users | Namespace Admins | Secrets Management Team | Description |
|---|---|---|---|---|
sys/mounts |
R |
R |
R |
List secrets engines |
sys/mounts/* |
RL |
CRUDLS |
|
Manage secrets engines |
sys/mounts/secret |
RL |
RUL |
|
Prevent deletion of secrets mount |
secret/* |
CRUDLP |
CRUDLSP |
|
Access secrets1 |
1 General users have CRUDL access only to the pre-created kv-v2 engine mounted at secret/*. Administrative users have wide access to all secrets engines through the * permission in the Admin Access Control Table
Permission Types#
- C - Create
- R - Read
- U - Update
- D - Delete
- L - List
- S - Sudo
- P - Patch
Policy Priority Matching#
For two policies (P1 & P2) that both apply to a certain path, the following conditions are evaluated to determine which policy has a higher priority and is thus applied. Once a condition is matched, that condition is applied and the rest are not evaluated.
- If the first wildcard (+) or glob (*) occurs earlier in
P1,P1is lower priority - If
P1ends in * andP2doesn't,P1is lower priority - If
P1has more + (wildcard) segments,P1is lower priority - If
P1is shorter, it is lower priority - If
P1is smaller lexicographically, it is lower priority
See HashiCorp Developer Documentation for more information.