Teleport Role Access Requests
- Available for:
Teleport's Just-in-time Access Requests allow users to request access to additional roles in order to elevate their privileges. Requests can be escalated via ChatOps or anywhere else via our flexible Authorization Workflow API.
Access to an Enterprise edition of Teleport running in your environment.
For information about the differences between Teleport editions, see Comparing editions.
tctladmin tool and
tshclient tool version >= 15.1.1.
You can verify the tools you have installed by running the following commands:tctl version
Teleport Enterprise v15.1.1 go1.21tsh version
Teleport v15.1.1 go1.21
You can download these tools by following the appropriate Installation instructions for your environment and Teleport edition.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials.
tctlis supported on macOS and Linux machines. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
In this example, we will define three roles:
contractor: users with this role can request elevated access to the
dba: this role grants access to databases
approver: users with this role can approve requests for access to the
Users with this role can request access to the
This role grants access to databases.
# Only allows the contractor to use this role for 1 hour from time of request.
This role allows users to approve requests for the
# `review_requests` permits the listed roles to be approved
Roles containing a
review_requests rule can only be used in Teleport
Enterprise. In Teleport Community Edition, Access Requests must be approved by an admin
tctl on the Auth Server.
While Teleport Enterprise supports the same CLI-based workflows for requesting access to roles, most users will prefer to request access via the web UI.
To request access to one or more roles, navigate to the access requests page. You can find this page by selecting Resources on the side bar, expanding the Access Requests menu, and selecting New Request.
From here, the dropdown will allow you to request access to roles or to specific resources. Select roles in this dropdown and you will be presented with a list of roles you are permitted to request access to.
Click ADD TO REQUEST to include a role in the pending request.
Note: Access Requests must either contain roles or a set of specific resources. You can not mix the two. For more information on how to request access to specific resources, see the Resource Access Requests Guide.
When all desired roles have been added, click PROCEED TO REQUEST, where you can review and submit the request.
Reviewers can see a list of open requests by navigating to Management > Access Requests > Review Requests in the web UI.
Granting access to a role with the ability to edit other roles could allow a user to permanently upgrade their privileges. When reviewing requests, it's important to carefully consider the role(s) being requested and what permissions will be applied to the user if the request is approved.
Teleport Enterprise users with appropriate permissions can also approve requests
tsh command line:
tsh request review --approve <request-id>
Once a request has been approved, the requestor can elevate their access for both command-line workflows and web UI workflows.
For command-line use, the requestor should log in using the approved request ID:
log in with an approved access requesttsh login --request-id=bc8ca931-fec9-4b15-9a6f-20c13c5641a9
In the web UI, the requestor can open their request on the Review Requests page and click ASSUME ROLES to gain access to additional roles. Note: role-based access requests are additive. The user will have access to their standard role set in addition to the roles granted by the request.
A banner will appear at the top of the page while the approved access request is active. When elevated access is no longer necessary, click Switch Back to revert to the original set of roles.
With Teleport's Access Request plugins, users can manage Access Requests from within your organization's existing messaging and project management solutions.
|Set up Slack
|Set up Mattermost
|Set up Microsoft Teams
|Set up Jira
|Set up PagerDuty
|Set up email
|Set up Discord
|Set up OpsGenie
|Set up ServiceNow
See the Access Request Configuration guide for a detailed description of all the options you can configure to set up a just-in-time Access Request workflow for your organization.
Access Lists enable you to assign privileges to groups of users for a fixed period of time. Learn more about Access Lists in the documentation.