Identity rights
Rights are important to restrict the use of identities.
There are three areas for rights:
- System-related
- Identity-related
- Secret-related
System-related Rights
These are rights to manage the Vault itself.
- Change name
Possibly in the future:
- Set system-wide restrictions (such as the maximum number of identities, passwords, etc.).
Currently only one right is allowed here:
SYSTEM.>
Identity-related
Rights of an identity to create other identities
Again, there is currently only one permitted right.
IDENTITY.>
Secret-related
Secret related rights are prefixed by VAULES.
There are two types of rights.
-
Permissions that the identity has access to
-
In combination with the right
IDENTITY.>.Accesses to which the identity is allowed to inherit other permissions.
Right stucture
Rights are indicated by a dot.
This means that each point represents a sublevel. a few examples:
VALUES.level1.b.cVALUES.level2.d.e
For compatibility across clients, we recommend using ASCII characters.
Recommended characters: a to z, A to Z and 0 to 9 (names are case sensitive, and cannot contain whitespace).
Special characters: The period . (which is used to separate the secrets into areas) and * and also > (the * and > are used as wildcards).
Same Level wildcard
The first wildcard is * which can be each caracters on same level.
for example:
-
VALUES.A.*
*can be each word on same level but can not have a deeper sublevel.Allowed: VALUES.A.B
Not Allowed: VALUES.A.B.C
Multi Level wildcard
The second wildcard is > which can be each caracters on same level and each sublevel.
for example:
-
VALUES.A.>
>can be each word on each level.Allowed: VALUES.A.B.C.D