From 7f08b52a0c797b02902e0971470330ba7540be01 Mon Sep 17 00:00:00 2001
From: hygienic-books <hygienic-books@tentic.net>
Date: Tue, 25 Apr 2023 02:19:44 +0200
Subject: [PATCH] feat(docs): Summarize orphan tokens (#3)

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index aae30ea..ada0483 100644
--- a/README.md
+++ b/README.md
@@ -185,6 +185,10 @@ Their `list` permission only begins one lever deeper at `kv/list/for_rbacgroup_z
 https://f.q.d.n/ui/vault/secrets/kv/list/for_rbacgroup_zabbix
 ```
 
+### Permission to create orphan tokens
+
+The next example will explain orphan tokens. If you've followed examples above your Vault instance will have an `administrators` group with an `administrator` policy assigned to it. Users in that group will already have `write` access to `auth/token/create-orphan` so you can just use one of your `administrators` entities to follow along.
+
 ## Clean-up
 
 If during any of the above steps you've used the Vault command-line client to authenticate against Vault with your `root` token make sure that client's `~/.vault-token` file is deleted. It contains the verbatim `root` token.