How-To Series · 9: Locking It Down

Managed Scope

Pin config and secrets across every user on a machine, where the admin's values win and users cannot override them.

After this videoYou can pin a fleet-wide baseline of config and secrets that standard users cannot change

Managed scope lets an administrator push config and secrets that a standard user cannot override. It is read from a system directory, default /etc/hermes, owned by root: a managed config.yaml and .env that win over the user's files and even the shell environment, for exactly the keys they pin. Filesystem permissions are the enforcement. Merging is leaf-level, hermes config and hermes doctor show what is managed, and v1 is a Linux-first management boundary, not an un-escapable sandbox.

About these resources. This episode explains how to set up managed scope in Hermes. The Sources block names the Hermes docs page that backs every claim.

Sources · What this video distills

1 docs page · every command below traces to one of them
Primary guide
Managed Scope
Read ↗

Commands shown · Copy and paste

each shows the source doc it came from
Create the managed scope directoryfrom source ↗
sudo mkdir -p /etc/hermes
Set managed file permissionsfrom source ↗
sudo chmod 0644 /etc/hermes/config.yaml /etc/hermes/.env
Verify the resolved managed directoryfrom source ↗
hermes doctor

Going deeper · Related Hermes docs

further reading · not sources of facts shown above

Next in the series · Episodes that build on this