Hi,
We are currently using Vault Server 3.16.
We would like to implement a way to circumvent the default security scheme "allow everything": Each time a a new user is created, this user has RCA permission on all repositories. When a new repository is created, it grants access to all users (including inactive users).
Of course we can change the default permission by creating custom exclusion rules, user default permission, etc. As I am not dedicated full time to manage Vault Server, some team leads are also Vault admin to give them more flexibility to manage their teams and projects. These team leads are not Vault gurus, some created users and repositories and afterward created exclusion rules to counter balance the openess of the default permission rules.
For our next Vault upgrade to 3.51 (or may be 3.52) we would like to completely re-organize our security scheme:
- All users will have ZERO permission by default (change RCA to nothing)
- Each repository will have a corresponding Vault group. The group will have RCA permission to the root folder of the repository.
- Trust users will be members of 1..N groups (each group grants full access to one repository as mentioned above)
- User with restrict access will not be member of any above group. They will have either specific folder access permission. Or belongs to a group having restricted and explicit folder level permissions.
Can you please review the idea and provide us with your comments? Thanks very much in advance.
Tightening Vault's default Security Access Permission
Moderator: SourceGear