If a client is currently assigned the following policy, what additional policy can be added to ensure they cannot access the data stored at secret/apps/confidential but still, read all other secrets?
A . path "secret/apps/confidential/*" {
capabilities = ["deny"]
}
B . path "secret/apps/*" {
capabilities = ["deny"]
}
C . path "secret/apps/confidential" {
capabilities = ["deny"]
}
D . path "secret/apps/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/*" {
capabilities = ["read", "deny"]
}
Answer: C
Explanation:
"Deny" capability generally takes precedence over "allow" capability.
Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential
Leave a Reply