Merge 693ccc7 into cc7bad6

README.md

@@ -541,7 +541,7 @@ The optional `--expires-in` parameter allows specifying the number of *days* unt
 
 NOTE: In Gen3, you can grant specific access to a client the same way you would to a user. See the [user.yaml guide](https://github.com/uc-cdis/fence/blob/master/docs/user.yaml_guide.md) for more details.
 
-NOTE: Client credentials tokens are not linked to a user. They are not supported by all Gen3 endpoints.
+NOTE: Client credentials tokens are not linked to a user (the claims contain no `sub` or `context.user.name` like other tokens). Some Gen3 endpoints that assume the token is linked to a user, or whose logic require there being a user, do not support them. For an example of how to adapt an endpoint to support client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/a5078fae27fa258ac78045cf2bb89cb2104f53cf). For an example of how to explicitely reject client credentials tokens, see [here](https://github.com/uc-cdis/requestor/commit/0f4974c25343d2185c7cdb48dcdeb58f97800672).
 
 #### Modify OAuth Client
 

docs/user.yaml_guide.md

@@ -143,6 +143,14 @@ The resource tree contains, among other resources, the programs and projects cre
 ```
 Policies would refer to this resource as `/programs/program1/projects/P1`.
 
+There are several ways to attach a policy to a user:
+- In the `users` section, under the appropriate username, in the list of `policies`;
+- In the `groups` section, add the username to the group's `users` and the policy to the group's `policies`;
+- In the `anonymous_policies` group, add policies that anyone should have (there is no need to set specific usernames in this case);
+- In the `all_users_policies` group, add policies that all logged in users should have (there is no need to set specific usernames in this case).
+
+Policies can also be attached to Fence OIDC clients in the `clients` section. Use the client's `name` (not `client_id`) to grant access to a client.
+
 ### Programs and projects CRUD access
 
 ```