diff --git a/src/vault_setup.rs b/src/vault_setup.rs
index 771b3cf..872840e 100644
--- a/src/vault_setup.rs
+++ b/src/vault_setup.rs
@@ -442,6 +442,9 @@ impl VaultClient {
             Department::Finance => "finance",
         };
 
+        // Get the username from the policy name (remove "-policy" suffix)
+        let username = policy_name.trim_end_matches("-policy");
+        
         // Policy content with specific paths for the department
         let policy = format!(r#"
             # Allow reading document metadata
@@ -449,8 +452,8 @@ impl VaultClient {
                 capabilities = ["read"]
             }}
 
-            # Allow signing with user's key
-            path "transit/sign/{{{{identity.entity.name}}}}" {{
+            # Allow signing with user's key - use explicit username instead of identity.entity.name
+            path "transit/sign/{}" {{
                 capabilities = ["update"]
             }}
 
@@ -463,7 +466,7 @@ impl VaultClient {
             path "documents/data/dept/{}/signatures/*" {{
                 capabilities = ["create", "read", "update"]
             }}
-        "#, dept_name);
+        "#, username, dept_name);
 
         let url = format!("{}/v1/sys/policies/acl/{}", self.addr, policy_name);
         let payload = json!({