izgeri
commented
3 years ago Hey @martin-vesterlund.
At current, Conjur is effectively a single tenant system. There are a few minor changes we could make to support multitenancy (detailed roughly here: https://github.com/cyberark/conjur/issues/1328), but making these changes has been lower priority.
You did flag in your issue an old docs link - I've put in a PR to fix it in #1967.
We are in the middle of a project to document Conjur's API in an OpenAPI v3 spec. It's possible that during this project we'll get to documenting the /accounts route and removing any roadblocks to its use - as noted on the page you found, the permissions to access that route are a bit tricky.
If you have a use case for Conjur multitenancy, can you share more info about it in Discourse? I'd be interested to talk more with you about it.
Since #1967 fixes the doc bug you noticed (pointing to a different API version's docs) and we already have other issues for supporting multitenancy (#1328) and for better documenting the /accounts endpoint (cyberark/conjur-openapi-spec#5), I'm going to close this issue for now. I hope you do decide to share more info on your use case in Discourse, though!
martin-vesterlund
Summary
In the section regarding Account management it is written
"Accounts can be listed, created, and deleted via the /accounts service. Permission to use this service is controlled by the built-in resource !:webservice:accounts. Note that ! is itself an organization account, and therefore privileges on the !:webservice:accounts can be managed via Conjur policies."
However there is no documentation providing a way to actually manage the policies in the
!account, or to put it in other words: how do I write a policy that gives the conjur user X access to!:webservice:accounts?Steps to Reproduce
Steps to reproduce the behavior:
Expected Results
A clear description of how to write a policy that grant access to the endpoint
/accountsReproducible
Version/Tag number
Conjur-oss 1.10.0