Teleport 16: Advancing Infrastructure Defense in Depth with Device Trust, MFA, and VNET
Jul 25
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Teleport Policy

Teleport Policy streamlines and centralizes access management across your entire infrastructure.

Teleport Policy with Access Graph provides a visual representation of the relationships between users, roles, and resources in your organization. It can help you answer questions like:

  • What resources can a specific user access?
  • What users can access a specific resource?
  • What are the relationships between users, roles, and resources?

Access Graph is a feature of the Teleport Policy product that is only available to Teleport Enterprise customers.

After logging into the Teleport UI, go to the Management tab. If enabled, Access Graph options can be found under the Permission Management section.

Graph nodes

Teleport Access Graph divides your infrastructure into six main components:

  1. Identities
Identity Node

Identities are the actors that can access your infrastructure. They can be employees, contractors, machines or bots.

The number on the right hand side shows "standing privileges". Standing privileges is the number of resources that an identity can access without creating an access request.

  1. User Groups
Identity Group Node

Identity Groups are collections of identities. They can be used to organize users based on their role or team, and they can be nested.

  1. Actions
Action Node

Actions are the things that identities can or cannot do. Actions are related to resources. For example, a user can SSH into a node.

  1. Deny Actions
Deny Action Node

Deny Actions are the things that identities cannot do. Deny Actions are related to resources. For example, a user cannot SSH into a node.

  1. Resource Groups
Resource Group Node

Resource Groups are collections of resources. They can be used to organize resources based on their role or team.

The number on the right hand side shows the number of resources that a resource group contains.

  1. Resources
Resource Node

Resources are the things that users can or cannot access. They can be servers, databases, or Kubernetes clusters.

Graph paths

Teleport Access Graph shows the relationships between users, roles, and resources. It does this by showing paths between nodes. Paths are the relationships between nodes. Paths always connect nodes in the following order:

  1. Users
  2. User Groups
  3. Actions
  4. Resource Groups
  5. Resources

Paths can be divided into two categories:

  1. Allow paths

Allow paths connect identities to resources. They show what an identity can access and what actions they can perform.

  1. Deny paths

Deny paths connect identities to resources. They show what an identity cannot access and what actions they cannot perform. Deny paths take precedence over allow paths.

How to use it

Teleport Access Graph can help you to answer questions like:

  • Who can access a specific resource?
  • What resources can a specific user access?
Navigation

The left hand side menu contains the main navigation options:

  • Graph view
  • Search
  • SQL editor
  • Integrations

Graph View

Graph view is the main view that shows the connections between identities and resources. By default, an aggregated view of access paths grouped by identity is showed.

To search for a graph node use the search bar at the top of the page or the search icon on the right hand side.

You can then search through all node types and all imported entities.

SQL Editor

Access Graph allows creating SQL like queries to explore the graph.

The query language allows to create different views of the graph, ex:

Show only allowed paths

SELECT * FROM access_path WHERE kind = 'ALLOWED';

Show only denied paths

SELECT * FROM access_path WHERE kind = 'DENIED';

Show all access paths for a user

SELECT * FROM access_path WHERE identity = 'bob';

Show all access paths for a user AND resource

SELECT * FROM access_path WHERE identity = 'bob' AND resource = 'postgres';

More actionable examples is available under ? icon.

Integrations

Integrations page shows integrations that can be enabled or are already enabled in Access Graph.

Note

Resources imported into Teleport through Teleport enabled integrations are automatically imported into Access graph without any additional configuration.

How resources and identities are represented

Access Graph imports all resources and identities from Teleport and keeps them up to date, so every time you make a change to your Teleport resources, the Access Graph will reflect those changes.

Identities

Users are created from Teleport Users. Local users are imported as soon as they are created. External users (created from authentication connectors for GitHub, SAML, etc.) are imported when they log in for the first time.

User Groups

User Groups are created from Teleport Roles and access requests. Roles create User Groups where the members are the users that have that role. Access requests create a temporary User Group where the members are the users that got the access through the accepted access request.

Actions

Actions are created from Teleport roles. Actions can be divided into three categories:

  1. Allow Actions

Allow Actions are created from Teleport roles. Allow Actions are the things that users can do. For example, a user can SSH into a node.

  1. Deny Actions

Deny Actions are created from Teleport roles. Deny Actions are the things that users cannot do. For example, a user cannot SSH into a node. Deny Actions take precedence over Allow Actions.

  1. Temporary Actions

Temporary Actions are created when a user is granted temporary access to a resource. They are automatically deleted when the user's access expires. The temporary actions can be identified by having Temporary: true property.

Resource Groups

Resource Groups are created from Teleport roles.

Resources

Resources are created from Teleport resources like nodes, databases, and Kubernetes clusters.