Entities not displayed in UI when using non-root token

[g-psantos]

Describe the bug
Vault UI does not display "Entities" (under "Access") when a non-root token is used, even though Entities can be listed with that non-root token through the Vault CLI.

To Reproduce

1. Create a policy with the permissions to read (and, optionally, create, update, and delete) entities. I've provided below the relevant part of the policy I'm using.
2. Attach the policy created in Step 1 to a group.
3. Add an entity to the group created in Step 2.
4. Login to Vault UI using the entity created or modified in Step 3.
5. Use Vault UI's built-in console to verify that the entity has permission to list entities by ID and name: vault list identity/entity/[id|name]. The same can be done with the standard Vault CLI, using a token pertaining to the entity created or modified in Step 3.
6. Navigate to the "Access" tab and confirm that "Entities" is not shown on the sidebar navigation, despite the entity having permission to list entities (as verified in Step 4).

# Entity and group lookups
path "identity/lookup/entity" {
  capabilities = ["create"]
}

path "identity/lookup/group" {
  capabilities = ["create"]
}

# Create entities
path "identity/entity" {
  capabilities = ["create"]
}

# List, read, modify, and delete entities
path "identity/entity/id/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

path "identity/entity/name/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

# Merge entities
path "identity/entity/merge" {
  capabilities = ["create", "update"]
}

# Create entity alias
path "identity/entity-alias" {
  capabilities = ["create", "update"]
}

# List, read, modify, and delete entity aliases
path "identity/entity-alias/id/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}

Expected behavior
If a token has permissions to list the entities in Vault, the UI should (1) display the "Entities" entry in the sidebar navigation for "Access" and (2) display the list of entities when the "Entities" page is active.

Environment:

• Vault Server Version (retrieve with vault status): 1.1.3
• Vault CLI Version (retrieve with vault version): 1.1.3
• Server Operating System/Architecture: Provided upon request (assuming not relevant)

Vault server configuration file(s):

ui = true

storage "file" {
    path = "***"
}

listener "tcp" {
    address = "***"
    tls_cert_file = "***"
    tls_key_file = "***"
}

Additional context
Trying to create a non-root policy that enables certain administrators to manage authentication and authorization, including entities and groups.

[andaley]

Hi there, thank you for reporting this and providing such great context! I have a fix in the works right now. Stay tuned.

[andaley]

Hello! This has been fixed and will be out with our next release. Thanks again for reporting!