From 30eaccb1a3ea2e22d40ef6d779cf3d38634f44b3 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Mon, 19 Jan 2026 20:43:39 +0100
Subject: [PATCH] Fix: override default restritive policy for identity admin.

---
 policies/identity_admin_policy.hcl | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/policies/identity_admin_policy.hcl b/policies/identity_admin_policy.hcl
index 3edb6ea..5d2ded5 100644
--- a/policies/identity_admin_policy.hcl
+++ b/policies/identity_admin_policy.hcl
@@ -1,8 +1,13 @@
 # Add identity admin role to the token
 path "identity/*" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+  capabilities = ["create", "read", "update", "delete", "list"]
 }
 
-path "identity/entity/*/name" {
-  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+# Override default policies for identity management
+path "identity/entity/id/{{identity.entity.id}}" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "identity/entity/name/{{identity.entity.name}}" {
+  capabilities = ["create", "read", "update", "delete", "list"]
 }