mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-15 19:17:02 +02:00
Code Issues Projects Releases Wiki Activity
a2de4c75cd
vault/website/content/api-docs/system/config-group-policy-application.mdx
Anton Averchenkov f4f0412b6a
[docs] Convert titles to sentense case (#21426) 
* Convert documentation titles to sentense case

* Docker, Google, Foundry, Cloud proper case
2023-06-30 19:22:07 -04:00

82 lines
2.6 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: api
page_title: /sys/config/group-policy-application - HTTP API
description: The '/sys/config/group-policy-application' endpoint is used to configure the global mode for group policy application.
---
# `/sys/config/group-policy-application`
~> **Enterprise Only**  These endpoints require Vault Enterprise Platform.
The `sys/config/group-policy-application` endpoint can be used to configure the
mode of policy application for identity groups in Vault. This setting dictates
the behavior across all groups in all namespaces in Vault.
Vault allows you to add entities and groups from any namespace into an identity group.
However, historically, any policies attached to that group would only apply when the
Vault token authorizing a request was created in the same namespace as that group,
or a descendent namespace. This endpoint allows relaxing that restriction: when the mode is set to the default,
`within_namespace_hierarchy`, the historical behaviour is maintained,
but when set to `any`, group policies apply to all members of a group,
regardless of what namespace the request token came from.
Note that this configuration will be replicated between primary and secondaries, that
is to say, primaries cannot have a different policy application mode to secondaries.
## Get group policy application information
This endpoint returns the current group policy application mode, which will be
either `within_namespace_hierarchy` or `any`.
| Method | Path |
| :----- | :---------------------------- |
| `GET` | `/sys/config/group-policy-application` |
### Sample request
```shell-session
$ curl \
--header "X-Vault-Token: ..." \
'http://127.0.0.1:8200/v1/sys/config/group-policy-application'
```
### Sample response
```json
{
"group_policy_application_mode": "within_namespace_hierarchy"
}
```
## Set group policy application information
This endpoint allows you to modify the current group policy application mode, which can be
either `within_namespace_hierarchy` or `any`. `within_namespace_hierarchy`
restricts policy application to only policies from groups from parent namespaces, and
`any` does not restrict policy application in any way, and policies will apply from any namespace,
irrespective of namespace hierarchy.
| Method | Path |
| :----- | :---------------------------- |
| `POST`, `PUT` | `/sys/config/group-policy-application` |
### Sample payload
```json
{
"group_policy_application_mode": "any"
}
```
### Sample request
```shell-session
$ curl \
--request POST \
--header "X-Vault-Token: ..." \
--data @payload.json \
'http://127.0.0.1:8200/v1/sys/config/group-policy-application'
```
Reference in New Issue View Git Blame Copy Permalink