!policy
id: '123'
body:
- !policy
id: '321'
body:
- !variable
id: var1
- !variable
id: var2
- !variable
id: var3
- !policy
id: a
body:
- !policy
id: b
body:
- !policy
id: c
body:
- !policy
id: d
body:
- !policy
id: e
body:
- !policy
id: f
body:
- !policy
id: g
body:
- !variable
id: var1
- !policy
id: different
body:
- !policy
id: datatypes
body:
- !variable
id: mydict
- !variable
id: mylist
- !policy
id: empty
body: []
- !policy
id: my-secret
body:
- !policy
id: app1
body:
- !variable
id: app1pword
- !variable
id: app1uname
- !policy
id: app2
body:
- !variable
id: app2pword
- !variable
id: app2uname
- !variable
id: mypassword
- !variable
id: myusername
- !host
id: apikey
1 Like
Bump. We’re looking to permit the host to have wildcard access to all secrets under the same policy
1 Like
Help will be appreciated
1 Like
Good morning @poshriva and @alwye
As far as I am aware, the only way to provide permissions to multiple secrets at once is by declaring variables in the same policy branch as a unit. See the Conjur documentation Policy Statement Reference for Variables.
I’ll look into if this can be used in some of the example policy you provide here.
1 Like
Thanks John for your comment… !!
We have been using nested policy and I have been trying to get info from this document
https://docs.cyberark.com/Product-Doc/OnlineHelp/AAM-DAP/Latest/en/Content/Operations/Policy/statement-ref-policy.htm?TocPath=Fundamentals|Policy%20Management|Policy%20Statement%20Reference|_____9
do you think adding groups would help.
Hey John. We were trying to avoid that method as it’s not very flexible.
Ended up assigning “!host apikey” as an owner of each policy at the first level. This is an example of a generated file:
- !host 'apikey'
- !policy
id: a
owner: !host 'apikey'
body:
- !policy
id: b
body:
- !policy
id: c
body:
- !policy
id: d
body:
- !policy
id: e
body:
- !policy
id: f
body:
- !policy
id: g
body:
- !variable 'var1'
- !policy
id: different
owner: !host 'apikey'
body:
- !policy
id: datatypes
body:
- !variable 'mydict'
- !variable 'mylist'
- !policy
id: empty
owner: !host 'apikey'
body: []
- !policy
id: my-secret
owner: !host 'apikey'
body:
- !policy
id: app1
body:
- !variable 'app1pword'
- !variable 'app1uname'
- !policy
id: app2
body:
- !variable 'app2pword'
- !variable 'app2uname'
Unless there’s a more elegant way of doing it, this topic may be closed
Hi @alwye,
Sounds like you have a working solution. Have you considered adding one more, top-level policy above the policies you’ve already defined, and just assign apikey as owner of that top-level policy? For example, the following uses a top-level policy named top-level:
- !host 'apikey'
- !policy
id: top-level
owner: !host 'apikey'
body:
- !policy
id: a
body:
- !policy
id: b
body:
- !policy
id: c
body:
- !policy
id: d
body:
- !policy
id: e
body:
- !policy
id: f
body:
- !policy
id: g
body:
- !variable 'var1'
- !policy
id: different
body:
- !policy
id: datatypes
body:
- !variable 'mydict'
- !variable 'mylist'
- !policy
id: empty
body: []
- !policy
id: my-secret
body:
- !policy
id: app1
body:
- !variable 'app1pword'
- !variable 'app1uname'
- !policy
id: app2
body:
- !variable 'app2pword'
- !variable 'app2uname'
-Dane
1 Like