Policy Tutorial

This tutorial addresses a use case in which the initial DSV admin wishes to:

Delegate resource permissions to one admin team and three separate DevOps teams.
Give each team of three users access to separate secret paths.
Assign one person from each team rights to create roles and policies for their teammates.

Policy Structure

Policies are the single source of all permissions in DSV. A policy contains a list of permissions that are then delegated to groups, roles, and/or individual users.

The following image demonstrates the three methods that apply policies to users:

Least Privilege Approach

In this tutorial, we begin as the Initial Super Administrator (typically your "thy-one" account). The Initial Super Administrator account has full, unrestricted access to all of DSV. It is a best practice to follow the Least-Privilege Administrative Model and only use the Super Administrator account when absolutely necessary.

To avoid using this account, we will:

Use the Super Administrator account to create new Users.
Create a group called "adminsgroup".
Assign the new users to the "adminsgroup" group.
Create a policy giving the group administrative permissions.
Log out of the Super Administrator account.
Log in as one of the new users to complete the remaining administrative tasks.

leastprivilege2

Create Users, Groups and Permissions

First, as the Super Admin, we will create and delegate permissions to the administrators. We will create three administrators and give them permissions to manage Users, Groups, and Roles in DSV.

The following example uses placeholder usernames and passwords. Substitute these values to meet your organization's requirements.

Create administrators using the command and flags:

INPUT:

Copy

dsv user create --username adminusr1 --password Password1

OUTPUT:

Copy

{
"created": "2021-04-30T14:14:10Z",
"createdBy": "users:thy-one:superadmin@organization.com", 
"displayName": "",
"externalId": "",
"id": "dc677f9c-*******-238f6d04e137",
"lastModified": "2021-04-30T14:14:10Z",
"lastModifiedBy": "users:thy-one:superadmin@organization.com",
"provider": "",
"userName": "adminusr1",
"version": "0"
}

Repeat the command for adminusr2 and adminusr3.

INPUT:

Copy

dsv user create --username adminusr2 --password Password2

OUTPUT:

Copy

{
"created": "2021-04-30T14:14:10Z",
"createdBy": "users:thy-one:superadmin@organization.com",
"displayName": "",
"externalId": "",
"id": "dc677f9c-*******-238f6d04e137",
"lastModified": "2021-04-30T14:14:10Z",
"lastModifiedBy": "users:thy-one:superadmin@organization.com",
"provider": "",
"userName": "adminusr2",
"version": "0"
}

INPUT:

Copy

dsv user create --username adminusr3 --password Password3

OUTPUT:

Copy

{
"created": "2021-04-30T14:14:10Z",
"createdBy": "users:thy-one:superadmin@organization.com",
"displayName": "",
"externalId": "",
"id": "dc677f9c-*******-238f6d04e137",
"lastModified": "2021-04-30T14:14:10Z",
"lastModifiedBy": "users:thy-one:superadmin@organization.com",
"provider": "",
"userName": "adminusr3",
"version": "0"
}

Create the admins group and add the new administrators as members.

INPUT:

Copy

dsv group create --group-name adminsgroup --members adminusr1,adminusr2,adminusr

OUTPUT:

Copy

{ 
"addedMemberNames": ["adminusr2", "adminusr1", "adminusr3"],
"errors": {}
}

Give the adminsgroup permission to create, modify and delete Users, Groups, Roles, Policies, and Secrets on the path secrets:servers:us-west:<.*>.

Permissions could be assigned directly to the three users. Assigning permissions to the group allows for any additional admin Users to inherit permissions in a single step.
Open the configuration text file using the command: dsv config edit.

Copy and paste the adminsgroup permission data outlined in the red box below. Make sure it is placed after the groups:<adminsgroup>value and includes the preceding comma.

Copy

{
"created": "2020-04-06T12:34:57Z",
"createdBy": "system", 
"lastModified": "2021-04-13T19:05:33Z", 
"lastModifiedBy": "users:thy-one:superadmin@organization.com", 
"permissionDocument": [
  {
    "actions": ["<.*>"], 
    "conditions": {}, 
    "description": "Default Admin Permissions", 
    "effect": "allow", 
    "id": "bq5i3******po2j2g", 
    "meta": null, 
    "resources": ["<.*>"], 
    "subjects": [
        "users:<users:thy-one:superadmin@organization.com>" 
    ]
  }, 
  {
    "actions": ["<.*>"], 
    "conditions": {}, 
    "description": "Default Deny Home Permissions", 
    "effect": "deny", 
    "id": "bskn71nq4h6s72mn0sc0", 
    "meta": null, 
    "resources": ["home:<.*>"], 
    "subjects": [
    "users:<users:thy-one:superadmin@organization.com>" 
    ]
  }

{
"actions": ["<.*>"], 
"conditions": {}, 
"description": "Admin Permissions US-WEST", 
"effect": "allow", 
"meta": null, 
"resources": ["users:<.*>","groups:<.*>","roles:<.*>","clients:<.*>","config:policies:secrets:servers:us-west:<.*>","config:policies:roles:devopsgrp1<.*>","secrets:servers:us-west:<.*>"
  ], 
"subjects": ["groups:<adminsgroup>"]
}

Initialize the New Admin Account

Once we have created the new admin users, put them into a new admin group, and written a policy giving them permissions, we can log out of the Super Administrator account and use one of the new administrator accounts to continue with the setup. Switching to an account with fewer permissions will help us adhere to the Least-Privilege Administrative Model.

Begin initialization with the command: dsv init.
Select [o] overwrite the config. This will replace the current default profile, the superadmin, with the adminusr1 account.
Enter your tenant name.
Choose your domain.
Select a store type.
Select a cache strategy for secrets.
For the auth type, choose (1) Password (local user).
Once initialization is complete, confirm that you are logged in as adminusr1 with the command: dsv whoami.
The CLI should return: users:adminusr1

Delegate Secret Management Rights to DevOps Team1

Now that the administrators have been created and delegated permissions, we can start creating the users for the DevOps teams.

Create the three DevOps users.

INPUT:

Copy

dsv user create --username devopsusr1 --password Password1*

OUTPUT:

Copy

{
"created": "2021-04-30T15:30:45Z",
"createdBy": "users:adminusr1",
"displayName": "",
"externalId": "",
"id": "44f238b5-b657-*****-4defb1d9b4cd",
"lastModified": "2021-04-30T15:30:45Z",
"lastModifiedBy": "users:adminusr1",
"provider": "",
"userName": "devopsusr1",
"version": "0"
}

INPUT:

Copy

dsv user create --username devopsusr2 --password Password1*

OUTPUT:

Copy

{
"created": "2021-04-30T15:30:45Z",
"createdBy": "users:adminusr1",
"displayName": "",
"externalId": "",
"id": "44f238b5-b657-*****-4defb1d9b4cd",
"lastModified": "2021-04-30T15:30:45Z",
"lastModifiedBy": "users:adminusr1",
"provider": "",
"userName": "devopsusr2",
"version": "0"
}

INPUT:

Copy

dsv user create --username devopsusr3 --password Password1*

OUTPUT:

Copy

{
"created": "2021-04-30T15:30:45Z",
"createdBy": "users:adminusr1",
"displayName": "",
"externalId": "",
"id": "44f238b5-b657-*****-4defb1d9b4cd",
"lastModified": "2021-04-30T15:30:45Z",
"lastModifiedBy": "users:adminusr1",
"provider": "",
"userName": "devopsusr3",
"version": "0"
}

Create the DevOps group. In the same input, we will also add the three DevOps users and the admin user to the group.

INPUT:

Copy

dsv group create --group-name devopsgroup1 --members devopsusr1,devopsusr2,devopsusr3,adminusr1

OUTPUT:

Copy

{
"addedMemberNames": ["devopsusr1", "devopsusr3", "devopsusr2","adminusr1"],
"errors": {}
}

Give the new group (devopsgroup1) access to the path servers:us-west:devopsgroup1secrets:<*>. This gives all members of DevOps Team 1 full rights to manage secrets on the path.

INPUT:

Copy

dsv policy create --path secrets:servers:us-west:devopsgroup1secrets --subjects groups:devopsgroup1 --actions create,read,update,delete --resources "secrets:servers:us-west:devopsgroup1secrets:<.*>" --desc "Devopsgroup1 Secret Management Permissions"

OUTPUT:

Copy

{
"created": "2021-04-30T15:36:08Z",
"createdBy": "users:adminusr1",
"id": "e5c9f3de-f74b-4d1f-a984-90e31cb2e131",
"lastModified": "2021-04-30T15:36:08Z",
"lastModifiedBy": "users:adminusr1",
"path": "secrets:servers:us-west:devopsgrp1secrets",
"permissionDocument": [
    {
        "actions": ["create", "read", "update", "delete"],
        "conditions": {},
        "description": "Devopsgrp1 Secret Management Permissions",
        "effect": "allow",
        "id": "c2627q72inos72lhq18g",
        "meta": null,
        "resources": ["secrets:servers:us-west:devopsgrp1secrets:<.*>"],
        "subjects": ["groups:devopsgroup1"]
    }
    ],
"version": "0"
}

Deny devopsusr3 the rights to create, delete, and update secrets on the path servers:us-west:devopsgroup1secrets:<*>. Open the policy file with the command:
Copy
```
dsv policy edit --path secrets:servers:us-west:devopsgroup1secrets
```

Add the data outlined in the red box below:

Copy

{
"created": "2021-04-13T13:34:43Z",
"createdBy": "users:thy-one:superadmin@organization.com",
"id": "2d56bf8a-99a7-4a3e-9a30-db5596208480",
"lastModified": "2021-04-13T13:34:43Z",
"lastModifiedBy": "users:thy-one:superadmin@organization.com",
"path": "secrets:servers:us-west:devopsgrp1secrets",
"permissionDocument": [
  {
    "actions": ["create", "read", "update", "delete"],
    "conditions": {},
    "description": "Devopsgrp1 Secret Management Permissions",
    "effect": "allow",
    "id": "c1qprsq5fkhs72p14v7g",
    "meta": null,
    "resources": ["secrets:servers:us-west:devopsgrp1secrets:<.*>"],
    "subjects": ["groups:devopsgroup1"]
  }

{
  "actions": ["create", "update", "delete"],
  "conditions": {},
  "description": "Devopsusr3 Secret Management Permissions",
  "effect": "deny",
  "meta": null,
  "resources": ["secrets:servers:us-west:devopsgrp1secrets:<.*>"],
  "subjects": ["users:devopsusr3"]
  }
  ],
"version": "0"
}

Test the DevOps Team Permissions to Read Secrets

Create a secret on the path secrets:servers:us-west:devopsgroup1secrets.

INPUT:

Copy

dsv secret create secrets:servers:us-west:devopsgroup1secrets:test  --data "{\"username\":\"secretuser\",\"password\":\"passwordtext123\"}"

OUTPUT:

Copy

{
"attributes": {},
"created": "2021-04-30T15:40:14Z",
"createdBy": "users:adminusr1",
"data": {
"password": "passwordtext123",
"username": "secretuser"
},
"description": "",
"id": "76b872be-fb5a-4849-b8c7-f8bea3b01896",
"lastModified": "2021-04-30T15:40:14Z",
"lastModifiedBy": "users:adminusr1",
"path": "servers:us-west:devopsgrp1secrets:test",
"version": "0"
}

Create another secret on the path secrets:servers:us-west:devopsgroup1secrets:test.

INPUT:

Copy

dsv secret create secrets:servers:us-west:devopsgrp1secrets  --data "{\"username\":\"secretuser\",\"password\":\"passwordtext123\"}"

OUTPUT:

Copy

{
"attributes": {},
"created": "2021-04-30T15:40:14Z",
"createdBy": "users:adminusr1",
"data": {
        "password": "passwordtext123",
        "username": "secretuser"
        },
"description": "",
"id": "76b872be-fb5a-4849-b8c7-f8bea3b01896",
"lastModified": "2021-04-30T15:40:14Z",
"lastModifiedBy": "users:adminusr1",
"path": "servers:us-west:devopsgrp1secrets:test",
"version": "0"
}

Initialize with the devopsusr1 account. In order to test the permissions granted to devopsusr1 we need to initialize the account. This will create a new profile for devopsusr1 in your config file. Be sure to choose auth type "1" as this is a local user.
Enter the command dsv init.
Choose [a] add a new profile to the config.
Enter the profile name: devopsusr1.
Initialize devopsusr2 and devopsusr3 using the same sequence. Once the profiles are created, we will be able to run single commands as devopsusr1 and devopsusr3 in the next step.

Read the secrets with the profile of devopsusr1. This profile should have the permissions to read the secret under test while not having the permissions to read the secret under devopsgrp1secrets.

INPUT:

Copy

dsv secret read secrets:servers:us-west:devopsgrp1secrets:test --profile devopsusr1

OUTPUT:

Copy

{
"attributes": {},
"created": "2021-04-30T15:40:14Z",
"createdBy": "users:adminusr1",
"data": {
          "password": "passwordtext123",
          "username": "secretuser"
        },
"description": "",
"id": "76b872be-fb5a-4849-b8c7-f8bea3b01896",
"lastModified": "2021-04-30T15:40:14Z",
"lastModifiedBy": "users:adminusr1",
"path": "us-west:devopsgrp1secrets:test",
"version": "0"
}

INPUT:

Copy

dsv secret read secrets:servers:us-west:devopsgrp1secrets --profile devopsusr1

OUTPUT:

Copy

{
"message": "Invalid permissions"
}

Attempt to create a secret with the profile of devopsusr3. This profile should not have the rights to create a secret on that path.

INPUT:

Copy

dsv secret create secrets:servers:us-west:devopsgrp1secrets:test2  --data "{\"username\":\"secretuser2\",\"password\":\"passwordtext123\"}" --profile devopsusr3

OUTPUT:

Copy

{
"message": "Invalid permissions"
}

Grant Groups the Ability to Search Entities via List Privileges

In the previous section, we verified that the members of devopsgroup1 can only manage the secrets on the path servers:us-west:devopsgrp1secrets:<.*> and restricted a single member of that group, devopsusr3, to only be able to read secrets on that path.

Now let's say the members needed to see the non-sensitive information (for example, description, path, create) of secrets on a different path. We can do this by creating permissions on the root policy to grant List Privileges for all secrets in DSV to devopsgroup1. List Privileges can also be granted for users, groups and roles.

In this example, we will only grant the permission for secrets by:

Editing the config using the command dsv config edit --profile thyone

Adding the section outlined in red below to the set of permissions that currently exist on the config policy:

Copy

{
  "created": "2020-04-06T12:34:57Z", 
  "createdBy": "system", 
  "lastModified": "2021-04-30T14:34:09Z", 
  "lastModifiedBy": "users:thy-one:superadmin@organization.com", 
  "permissionDocument": [
    {
      "actions": ["<.*>"], 
      "conditions": {}, 
      "description": "Default Admin Permissions", 
      "effect": "allow", 
      "id": "bq5i3seothfc72po2j2g", 
      "meta": null, 
      "resources": ["<.*>"], 
      "subjects": [
        "users:<users:thy-one:superadmin@organization.com>"
      ]
    }, 
    {
      "actions": ["<.*>"], 
      "conditions": {}, 
      "description": "Default Deny Home Permissions", 
      "effect": "deny", 
      "id": "bskn71nq4h6s72mn0sc0", 
      "meta": null, 
      "resources": ["home:<.*>"], 
      "subjects": [
        "users:<thy-one:superadmin@organization.com>" 
      ]
    }, 
    {
      "actions": ["<.*>"], 
      "conditions": {}, 
      "description": "Admin Permissions US-WEST", 
      "effect": "allow", 
      "id": "c261aofnu9hs72pma9t0", 
      "meta": null, 
      "resources": [
        "users:<.*>", 
        "groups:<.*>", 
        "roles:<.*>", 
        "clients:<.*>", 
        "config:policies:secrets:servers:us-west:<.*>", 
        "config:policies:roles:devopsgrp1<.*>", 
        "secrets:servers:us-west:<.*>"
      ], 
      "subjects": ["groups:<adminsgroup>"]
    }

{
  "actions": ["<list>"], 
  "conditions": {}, 
  "description": "Global List Permissions - Secrets", 
  "effect": "allow", 
  "meta": null, 
  "resources": ["secrets"], 
  "subjects": ["groups:<devopsgroup1>"]
}

Copy

],
"tenantName": "dsvtestlab", 
"version": "2"
}

Test the DevOps Team Permissions to Search Resources

Using the profile of devopsusr1, search for the secrets located on the path servers:us-west:devopsgrp1secrets. While the devopsusr1 profile was not able to read secrets on this path before, the list permissions allows the user to search for that secret and view its non-sensitive properties.

INPUT:

Copy

dsv secret search devopsgroup1secrets --profile devopsusr1

OUTPUT:

Copy

{
"cursor": "",
"data": [
  {
    "attributes": {},
    "created": "2021-04-30T15:40:14Z",
    "createdBy": "users:adminusr1",
    "description": "",
    "id": "76b872be-fb5a-4849-b8c7-f8bea3b01896",
    "lastModified": "2021-04-30T15:40:14Z",
    "lastModifiedBy": "users:adminusr1",
    "path": "servers:us-west:devopsgrp1secrets:test",
    "version": "0"
  },
  {
    "attributes": {},
    "created": "2021-04-30T17:46:23Z",
    "createdBy": "users:adminusr1",
    "description": "",
    "id": "90c728d1-7584-49d4-86a9-89fa4ca8daa0",
    "lastModified": "2021-04-30T17:46:23Z",
    "lastModifiedBy": "users:adminusr1",
    "path": "servers:us-west:devopsgrp1secrets",
    "version": "0"
  }
],
"length": 2,
"limit": 25,
"sort": ""
}

Delegate Rights to Manage Policies to a DevOps Team Member

Give devopsusr1 the rights to create, read, update, and delete polices on the path secrets:servers:us-west:devopsgroup1secrets_<.*>. The permissions will be applied directly to the user as opposed to a group. We will also give devopsgroup1 read access to any policies created by devopsusr1. Edit the policy again by adding the red-boxed json snippet below.

Open the policy using the command:

Copy

dsv policy edit --path secrets:servers:us-west:devopsgroup1secrets

Add the red-boxed JSON data to the policy:

Copy

{
  "created": "2021-04-13T13:34:43Z", 
  "createdBy": "users:thy-one:superadmin@organization.com", 
  "id": "2d56bf8a-99a7-4a3e-9a30-db5596208480", 
  "lastModified": "2021-04-13T13:34:43Z", 
  "lastModifiedBy": "users:thy-one:superadmin@organization.com", 
  "path": "secrets:servers:us-west:devopsgrp1secrets", 
  "permissionDocument": [
{
      "actions": ["create", "read", "update", "delete"], 
      "conditions": {}, 
      "description": "Devopsgrp1 Secret Management Permissions", 
      "effect": "allow", 
      "id": "c2627q72inos72lhq18g", 
      "meta": null, 
      "resources": ["secrets:servers:us-west:devopsgrp1secrets:<.*>"], 
      "subjects": ["groups:devopsgroup1"]
},
{
      "actions": [ "read"],
      "conditions": {},
      "description": "Devopsusr3 Secret Management Permissions",
      "effect": "deny",
      "id": "c2629jn2inos72lhq190", 
      "meta": null,
      "resources": ["secrets:servers:us-west:devopsgrp1secrets:<.*>"],
      "subjects": ["users:devopsusr3"]
    },

{
      "actions": ["create", "read", "update", "delete"], 
      "conditions": {}, 
      "description": "Devops Team1 Policy Management Permissions", 
      "effect": "allow", 
      "meta": null, 
      "resources": ["config:policies:secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_<.*>"], 
      "subjects": ["users:devopsusr1"]
    },
    {
      "actions": ["read"], 
      "conditions": {}, 
      "description": "Devops Team1 Policy Read Permissions", 
      "effect": "allow", 
      "meta": null, 
      "resources": ["config:policies:secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_<.*>"], 
      "subjects": ["groups:devopsgroup1"]
    }

Copy

], 
  "version": "2"
}

Test DevOpsUsr1's Permission to Create Policies

Create a policy using the profile devopsusr1, then read the policy using the profile devopsusr2. The first attempt to create a policy should fail because devopsusr1 is not permitted to create on the path testfailure. The 2nd attempt will succeed. This policy grants devopsgroup1 full privileges to manage secrets beyond the path servers:us-west:devopsgrp1secrets:devopsgrp1policy_1.

INPUT:

Copy

dsv policy create --path secrets:servers:us-west:devopsgrp1secrets:testfailure --subjects groups:devopsgroup1 --actions create,read,update,delete --profile devopsusr1

OUTPUT:

Copy

{
  "message": "Invalid permissions"
}

INPUT:

Copy

dsv policy create --path secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1 --subjects groups:devopsgroup1 --actions create,read,update,delete --desc "Devopsgroup1 User-Created Policy1" --profile devopsusr1

OUTPUT:

Copy

{
  "created": "2021-04-30T18:06:17Z",
  "createdBy": "users:devopsusr1",
  "id": "bc3c38d6-c7cc-49b4-817a-f98b6c409974",
  "lastModified": "2021-04-30T18:06:17Z",
  "lastModifiedBy": "users:devopsusr1",
  "path": "secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1",
  "permissionDocument": [
    {
      "actions": ["create", "read", "update", "delete"],
      "conditions": {},
      "description": "Devopsgroup1 User-Created Policy1",
      "effect": "allow",
      "id": "c264e69ehf7c72g0ddg0",
      "meta": null,
      "resources": [
        "secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1:<.*>"
      ],
      "subjects": ["groups:devopsgroup1"]
    }
  ],
  "version": "0"
}

Delegate Rights to "Create Roles" to a DevOps Team Member

Give devopsusr1 the rights to create, read, and assign roles by the name devopsgrp1-roles<.*>. This user will be the only member of the group that can create roles. Note that the resource must be named appropriately otherwise the attempt to create will fail. This step will make it easier to audit the creation of policies and provide user accountability.

INPUT:

Copy

dsv policy create --path roles:devopsgrp1_role --subjects users:devopsusr1 --desc "Devopsgrp1 Role Assignment Permissions" --resources "roles:devopsgrp1_role<.*>" --actions create,assign,read

OUTPUT:

Copy

{
  "created": "2021-04-30T18:09:42Z",
  "createdBy": "users:adminusr1",
  "id": "9f46574a-41cd-4d1b-a03b-d91740aa0321",
  "lastModified": "2021-04-30T18:09:42Z",
  "lastModifiedBy": "users:adminusr1",
  "path": "roles:devopsgrp1_role",
  "permissionDocument": [
    {
      "actions": ["create", "assign", "read"],
      "conditions": {},
      "description": "Devopsgrp1 Role Assignment Permissions",
      "effect": "allow",
      "id": "c264fphehf7c72g0ddgg",
      "meta": null,
      "resources": ["roles:devopsgrp1_role<.*>"],
      "subjects": ["users:devopsusr1"]
    }
  ],
  "version": "0"
}

We will also give devopsgroup1 read permissions for any role created by devopsusr1:

Open the policy using the command: dsv policy edit --path roles:devopsgrp1_role

Edit the policy we have just created by adding the red-boxed json snippet below:

Copy

{
  "created": "2021-04-22T15:18:02Z",
  "createdBy": "users:adminusr1",
  "id": "5c8b225f-89d6-4f4e-9c67-03b333a9ff4d",
  "lastModified": "2021-04-22T15:18:02Z",
  "lastModifiedBy": "users:adminusr1",
  "path": "roles:devopsgrp1_role",
  "permissionDocument": [
    {
      "actions": ["create", "assign", "read"],
      "conditions": {},
      "description": "Devopsgrp1 Role Assignment Permissions",
      "effect": "allow",
      "id": "c20p7alfo4sc72ggua4g",
      "meta": null,
      "resources": ["roles:devopsgrp1_role<.*>"],
      "subjects": ["users:devopsusr1"]
    }

{
      "actions": ["read"],
      "conditions": {},
      "description": "Devopsgrp1 Role Read Permissions",
      "effect": "allow",
      "meta": null,
      "resources": ["roles:devopsgrp1_role<.*>"],
      "subjects": ["groups:devopsgroup1"]
    }

Copy

],
  "version": "0"
}

Test devopsusr1's permission to create roles:

Attempt to create a role using a name outside of what devopsusr1 has the permissions to create:

INPUT:
Copy
```
dsv role create --name devopsgrp1-roletestfailure --profile devopsusr1
```
OUTPUT:
Copy
```
{"message": "Invalid permissions"}
```

Now perform a test within the user's permissions:

INPUT:

Copy

dsv role create --name devopsgrp1_role1 --profile devopsusr1

OUTPUT:

Copy

{
"created": "2021-04-30T18:18:03Z", 
"createdBy": "users:devopsusr1",
"description": "",
"externalId": "",
"groups": null,
"id": "73b0073c-b695-43fe-885c-932c8b9a5d8f",
"lastModified": "2021-04-30T18:18:03Z",
"lastModifiedBy": "users:devopsusr1",
"name": "devopsgrp1_role1",
"provider": "",
"version": "0"
}

Create DevOpsTeam1's Client Credentials for an Application

Using the role that we just created with the devopsusr1 devopsgrp1-role1, we will create client credentials. The credentials will be associated with the role and inherit the permissions that the role has been delegated.

Add the role to the devopsgrp1policy_1 Policy. We will use the update flag to add the role as an additional subject of the policy:

INPUT:

Copy

dsv policy update --path secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1 --subjects groups:devopsgroup1,roles:devopsgrp1_role1 --actions create,read,update,delete --desc "Devopsgrp1 User-Created Polciy1"

OUTPUT:

Copy

{ 
"created": "2021-04-30T18:06:17Z",
"createdBy": "users:devopsusr1",
"id": "bc3c38d6-c7cc-49b4-817a-f98b6c409974", 
"lastModified": "2021-04-30T18:20:24Z",
"lastModifiedBy": "users:devopsusr1", "path": "secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1", "permissionDocument": [ 
  { 
     "actions": ["create", "read", "update", "delete"],
     "conditions": {}, 
     "description": "Devopsgrp1 User-Created Polciy1",
     "effect": "allow", 
     "id": "c264kq1ehf7c72g0ddhg",
     "meta": null, 
     "resources": [ "secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1:<.*>"
     ], 
     "subjects": ["groups:devopsgroup1", "roles:devopsgrp1_role1"] 
  } 
], 
"version": "1" 
}

Create the DevOps Team1 client. A Client ID and Client Secret will be provided for the next step:

INPUT:

Copy

dsv client create --role devopsgrp1_role

OUTPUT:

Copy

{ 
"clientId": "33c2b014-27af-49fa-b4b3-44e8c1cad2b9", 
"clientSecret": "1E_uAzxTWbwMjJcfEIP1294pAhp-pkOX5ECqDNZOk8s",
"created": "2021-04-30T18:21:38Z",
"createdBy": "users:adminusr1",
"id": "f131e1fb-bc04-4015-ac8b-0e7ba5c2e20f",
"role": "devopsgrp1_role1", 
"url": false
}

Test the "Read Secret" Permissions of the DevOpsTeam1's Client Credential

Initialize with the client using dsv init.
Select [a] add a new profile to the config, and name your profile clienttest.
Choose (2) Client Credential for the Auth Type.

When prompted, provide the Client ID and Client Secret below:

Found an existing cli-config located at 'C:\Users\superadmin\.dsv.yml' 
Select an option:
   [o] overwrite the config
   [a] add a new profile to the config
   [n] do nothing (default:n) a
Please enter profile name: clienttest
Please enter tenant name: dsvtestlab
Please choose domain:    
   (1) secretsvaultcloud.com (default) 
   (2) secretsvaultcloud.eu 
   (3) secretsvaultcloud.com.au
   (4) secretsvaultcloud.ca 
Selection:
Please enter store type:
   (1) File store (default)
   (2) None (no caching)
   (3) Pass (Linux only)
   (4) Windows Credential Manager (Windows only)
Selection: Please enter directory for file store (default:C:\Users\superadmin\.thy):
Please enter cache strategy for secrets:
   (1) Never (default)
   (2) Server then cache
   (3) Cache then server
   (4) Cache then server, but allow expired cache if server unreachable
Selection:
Please enter auth type:
   (1) Password (local user) (default)
   (2) Client Credential
   (3) Thycotic One (federated)
   (4) AWS IAM (federated)
   (5) Azure (federated)
   (6) GCP (federated)
   (7) OIDC (federated)
Selection: 2 
Please enter client id for client auth: 33c2b014-27af-49fa-b4b3-44e8c1cad2b9 Please enter client secret for client auth: *******************************************

Create a secret on the path secrets:servers:us-west:devopsgrp1secrets:devopsgrp1polcicy_1:.

INPUT:

Copy

dsv secret create secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1:test --data "{\"username\":\"secretuser\",\"password\":\"passwordtext123\"

OUTPUT:

Copy

{
"attributes": {},
"created": "2021-04-30T18:27:49Z",
"createdBy": "users:adminusr1",
"data": { 
  "password": "passwordtext123",
  "username": "secretuser"
  },
"description": "",
"id": "04e203f9-b275-4140-bce5-218b80815c23",
"lastModified": "2021-04-30T18:27:49Z", 
"lastModifiedBy": "users:adminusr1", 
"path": "servers:us-west:devopsgrp1secrets:devopsgrp1policy_1:test", 
"version": "0"
}

Read the secret with the profile of the Client Credentials Clienttest:

Copy

dsv secret read secrets:servers:us-west:devopsgrp1secrets:devopsgrp1policy_1:test --profile Clienttest

You have successfully delegated permissions to DevOps Team1. Repeat the procedure above for Team 2 and Team 3.