Clarify the distinction between token and identity policies. (#13614)

hashicorp · Jan 11, 2022 · 7f6e685 · 7f6e685
1 parent e712044
commit 7f6e685
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx
@@ -717,14 +717,22 @@ authenticated user.
 
 ### Tokens
 
+Tokens have two sets of policies: identity policies, which are computed
+based on the entity and its groups, and token policies, which are either defined
+based on the login method or, in the case of explicit token creates via the API,
+are an input to the token creation.  What follows concerns token policies
+exclusively: a token's identity policies cannot be controlled except by modifying
+the underlying entities, groups, and group memberships.
+
 Tokens are associated with their policies at creation time. For example:
 
 ```shell-session
 $ vault token create -policy=dev-readonly -policy=logs
 ```
 
-Child tokens can be associated with a subset of a parent's policies. Root users
-can assign any policies.
+Normally the only policies that may be specified are those which are present
+in the current token's (i.e. the new token's parent's) token policies.
+However, root users can assign any policies.
 
 There is no way to modify the policies associated with a token once the token
 has been issued. The token must be revoked and a new one acquired to receive a