backport of commit 6685565b7e (#23341)

Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2025-10-29 17:52:32 +00:00 · 2023-09-27 16:41:03 -04:00
parent 97ea4969a0
commit 8835db2484
8 changed files with 37 additions and 3 deletions
--- a/website/content/api-docs/system/config-group-policy-application.mdx
+++ b/website/content/api-docs/system/config-group-policy-application.mdx
@@ -10,6 +10,17 @@ description: The '/sys/config/group-policy-application' endpoint is used to conf

@include 'alerts/restricted-root.mdx'

+<Warning>
+  The group policy application mode only applies to ACL policies and no longer
+  affects Vault sentinel role governing policies (RGPs) for the following Vault
+  versions:
+
+  - `1.15.0+`
+  - `1.14.4+`
+  - `1.13.8+`
+
+</Warning>
+
 The `sys/config/group-policy-application` endpoint can be used to configure the
 mode of policy application for identity groups in Vault. This setting dictates
 the behavior across all groups in all namespaces in Vault.
--- a/website/content/docs/enterprise/sentinel/index.mdx
+++ b/website/content/docs/enterprise/sentinel/index.mdx
@@ -87,15 +87,38 @@ a step-by-step instruction.

 </Tip>

-Consider the following scenario. 
+<Warning>
+
+  As of the following versions, Vault only applies RPGs derived from identity
+  group membership to entities in child namespaces:
+
+  - `1.15.0+`
+  - `1.14.4+`
+  - `1.13.8+`
+
+</Warning>
+
+The scenarios below describe the relevant changes in more detail.
+
+#### Versions 1.15.0, 1.14.4, 1.13.8, and later
+
+The training namespace is a child namespace of the education namespace. The "Sun
+Shine" entity created in the training namespace is a member of the "Tester"
+group which is defined in the education namespace. The group members inherit the
+group-level policy.
+
+![Relationship](/img/diagram-rgp-namespace-post-115_light.png#light-theme-only)
+![Relationship](/img/diagram-rgp-namespace-post-115_dark.png#dark-theme-only)
+
+#### Versions 1.15.0-rc1, 1.14.3, 1.13.7, and earlier

 The training namespace is a child namespace of the education namespace. The "Sun
 Shine" entity created in the education namespace is a member of the "Tester"
 group which is defined in the training namespace. The group members inherit the
 group-level policy.

-![Relationship](/img/diagram-rgp-namespace_light.png#light-theme-only)
-![Relationship](/img/diagram-rgp-namespace_dark.png#dark-theme-only)
+![Relationship](/img/diagram-rgp-namespace-pre-115_light.png#light-theme-only)
+![Relationship](/img/diagram-rgp-namespace-pre-115_dark.png#dark-theme-only)

 While ACL policies and EGPs set rules on a specific path, an RGP does not
 specify a target path. RGPs are tied to tokens, identity entities, or identity
--- a/website/public/img/diagram-rgp-namespace-post-115_dark.png
+++ b/website/public/img/diagram-rgp-namespace-post-115_dark.png
--- a/website/public/img/diagram-rgp-namespace-post-115_light.png
+++ b/website/public/img/diagram-rgp-namespace-post-115_light.png
--- a/website/public/img/diagram-rgp-namespace-pre-115_dark.png
+++ b/website/public/img/diagram-rgp-namespace-pre-115_dark.png
--- a/website/public/img/diagram-rgp-namespace-pre-115_light.png
+++ b/website/public/img/diagram-rgp-namespace-pre-115_light.png
--- a/website/public/img/diagram-rgp-namespace_dark.png
+++ b/website/public/img/diagram-rgp-namespace_dark.png
--- a/website/public/img/diagram-rgp-namespace_light.png
+++ b/website/public/img/diagram-rgp-namespace_light.png