So now I think I’m getting close to having a permission model i can work with, But i’m confused on principal policies. I’m trying to create a principal policy to override only a scoped policy, but it complains that that i’m missing a scoped prinicpal policy for

vdefault

because my intent is to only have a principal policy to override scope “customer”. How do i define essentially a no-op vdefault principal policy to satisfy the hierarchy? Or maybe I’m not understanding how principal policies work?

Hi, yeah, you do need a no-op policy at the root scope - this isn't specific to principal policies (all scoped policies must have unbroken chains).

Yeah it’s niche. I basically need a principal policy for cases where a specific user needs access to a resource regardless of role. I don’t expect to have everything covered by principal policies. But i need to be able to cover the case where some user can be granted access to a beta feature etc for testing kind of thing. I think i got it working, if i put the principal policy in the default scope. It seems to work a little different than I expect where i need to override each action?