kgilpin/policy-2.yml

## policy-2.yml
root@3935c7d86a07:/# cat policy-2.yml
- !user alice

- !group developers

- !grant
  role: !group developers
  member: !user alice


## policy.yml
- !group developers

- !grant
  role: !group developers
  member: !user alice


## run.sh
root@3935c7d86a07:/# conjur user create --as-group security_admin alice
Enter your username to log into Conjur: admin
Please enter your password (it will not be echoed):
WARNING! This command is deprecated and will be removed. Use policy instead.
{
  "login": "alice",
  "userid": "admin",
  "ownerid": "cucumber:group:security_admin",
  "uidnumber": 1101,
  "roleid": "cucumber:user:alice",
  "resource_identifier": "cucumber:user:alice",
  "api_key": "1bm24dm3r19fgf3kc0h231p5284e672rxk34tpfg1e37zw52hjcfwj"
}
root@3935c7d86a07:/# vi policy.yml
root@3935c7d86a07:/# conjur policy load --as-group security_admin policy.yml
Create group 'developers'
Grant group 'developers' to user 'alice'
{}
root@3935c7d86a07:/# conjur user retire alice
WARNING! This command is deprecated and will be removed. Use policy instead.
Revoking from role cucumber:group:security_admin
Giving ownership to 'cucumber:user:attic'
User retired
root@3935c7d86a07:/# cp policy.yml policy-2.yml
root@3935c7d86a07:/# vi policy-2.yml
root@3935c7d86a07:/# conjur policy load --as-group security_admin policy-2.yml
error: Authable::Rails::AuthableController::Forbidden
root@3935c7d86a07:/# conjur elevate policy load --as-group security_admin policy-2.yml
Give user resource 'alice' to group role 'security_admin'
Grant user role 'alice' to group role 'security_admin' with admin option
{}
root@3935c7d86a07:/# conjur group members list developers
[
  "cucumber:group:security_admin",
  "cucumber:user:alice"
]
root@3935c7d86a07:/#
	root@3935c7d86a07:/# cat policy-2.yml
	- !user alice

	- !group developers

	- !grant
	role: !group developers
	member: !user alice
	root@3935c7d86a07:/# conjur user create --as-group security_admin alice
	Enter your username to log into Conjur: admin
	Please enter your password (it will not be echoed):
	WARNING! This command is deprecated and will be removed. Use policy instead.
	{
	"login": "alice",
	"userid": "admin",
	"ownerid": "cucumber:group:security_admin",
	"uidnumber": 1101,
	"roleid": "cucumber:user:alice",
	"resource_identifier": "cucumber:user:alice",
	"api_key": "1bm24dm3r19fgf3kc0h231p5284e672rxk34tpfg1e37zw52hjcfwj"
	}
	root@3935c7d86a07:/# vi policy.yml
	root@3935c7d86a07:/# conjur policy load --as-group security_admin policy.yml
	Create group 'developers'
	Grant group 'developers' to user 'alice'
	{}
	root@3935c7d86a07:/# conjur user retire alice
	WARNING! This command is deprecated and will be removed. Use policy instead.
	Revoking from role cucumber:group:security_admin
	Giving ownership to 'cucumber:user:attic'
	User retired
	root@3935c7d86a07:/# cp policy.yml policy-2.yml
	root@3935c7d86a07:/# vi policy-2.yml
	root@3935c7d86a07:/# conjur policy load --as-group security_admin policy-2.yml
	error: Authable::Rails::AuthableController::Forbidden
	root@3935c7d86a07:/# conjur elevate policy load --as-group security_admin policy-2.yml
	Give user resource 'alice' to group role 'security_admin'
	Grant user role 'alice' to group role 'security_admin' with admin option
	{}
	root@3935c7d86a07:/# conjur group members list developers
	[
	"cucumber:group:security_admin",
	"cucumber:user:alice"
	]
	root@3935c7d86a07:/#