If a client is currently assigned the following policy, what additional policy can be added to ensure they cannot access the data stored at secret/apps/confidential but still, read all other secrets?

Posted by: Pdfprep Category: VA-002-P Tags: , ,

If a client is currently assigned the following policy, what additional policy can be added to ensure they cannot access the data stored at secret/apps/confidential but still, read all other secrets?
A . path "secret/apps/confidential/*" {
capabilities = ["deny"]
}
B . path "secret/apps/*" {
capabilities = ["deny"]
}
C . path "secret/apps/confidential" {
capabilities = ["deny"]
}

D . path "secret/apps/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/*" {
capabilities = ["read", "deny"]
}

Answer: C

Explanation:

"Deny" capability generally takes precedence over "allow" capability.

Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential

Leave a Reply

Your email address will not be published.