Hello! I'm wondering if someone would be able to offer me a bit of guidance around policies 🙏 The scenario we're in is a service that has principals made up of service accounts and real people. All principals are supplied by an oauth2 service and follow the same schema. I'm looking for guidance on best practices here.
What I've considered so far is:
- A separate principal policy for each service account across each environment. From a scalability POV that scared me, as the UUIDs could change, or at least are not known until they are provisioned, so would require actively managing. The IDs also vary across environment, so we would need a separate policy for each one.
- Use roles and assign unique roles to the SA. My concern here is that we did this in our last access management solution and it resulted hundreds of very granular permissions, which was hard to manage.
I'm sure there's an option that I've missed and I'm not seeing 🙈