Skip to main content

IAM configuration use-cases

Learn about IAM configuration use cases

This page provides configuration snippets you can reuse in your IAM configuration.

Security administrator

A security administrator (human) requires the ability to update the IAM and KMS configurations and configure and work with the log files to investigate security incidents. This administrator doesn't require any access to data; the deny policy handles that.

[policies.PolicyDenyAllAll]
    operations = ["read", "write", "delete", "search", "tokenize", "detokenize", "encrypt", "decrypt", "hash", "invoke"]
    policy_type = "deny"
    reasons = ["*"]
    resources = ["*"]

[roles.SecurityAdmin]
    capabilities = ["CapIAMReader", "CapIAMWriter", "CapKMSReader", "CapKMSWriter",
    "CapConfvarReader", "CapConfvarWriter", "CapErrorWriter", "CapClusterInfoReader",
    "CapInfoReader"]
    policies = ["PolicyDenyAllAll"]

Internal privileged service

This internal service works with objects in the customers collection. It allows users to update their profile and view a masked version. It requires the ability to read, write, delete, and search objects. The service requires access to:

  1. All built-in properties such as creation_time.
  2. Masked data types EMAIL, PHONE_NUMBER, SSN, and BAN. By masking these data types, Vault reduces the sensitivity of this data exposure.

[policies.PolicyAllowAllMeta]
    operations = ["read", "write", "delete", "search"]
    policy_type = "allow"
    reasons = ["AppFunctionality"]
    resources = ["customers/properties/_*", "customers/properties/id"]

[policies.PolicyAllowMasked]
    operations = ["read", "write", "delete", "search"]
    policy_type = "allow"
    reasons = ["AppFunctionality"]
    resources = ["customers/types/EMAIL.mask", "customers/types/PHONE_NUMBER.mask", "customers/types/SSN.mask", "customers/types/BAN.mask"]

[roles.PrivilegedService]
    capabilities = ["CapObjectsReader", "CapObjectsWriter", "CapDataSearcher"]
    policies = ["PolicyAllowAllMeta", "PolicyAllowMasked"]

Control administrator

This role allows a human user to manage the console without giving them any data access. The role doesn't include the capability to modify the IAM. This configuration prevents the user from circumventing the data access restriction by creating a user with data access.

As there is no data access, no policies are required.

Note that in this configuration, the admin can delete collections. If you don't want the user to have this ability, remove CapCollectionsWriter.


 [roles.ConsoleAdmin]
    capabilities = ["CapIAMReader", "CapInfoReader", "CapCollectionsReader", "CapCollectionsWriter", "CapTypesReader", "CapConfvarReader", "CapConfvarWriter", "CapClusterInfoReader", "CapActionsReader", "CapActionsWriter", "CapCodeWriter", "CapTypesReader", "CapTypesWriter"]
    policies = []

On this page