Access Controls FAQ
In this case, the access will be granted only if all of the labels defined in the role are present. This effectively means Teleport uses an "AND" operator when evaluating node-level access using labels.
No. OpenSSH servers running
sshd can't label themselves. This is a factor in deciding
to run the Teleport Node Service instead.
Resource Access Requests embed the UUID of requested resources in order to ensure that extra access isn't mistakenly granted due to overlapping hostnames.
In order for Access Request reviewers to see the hostname, they must either:
- Have permissions to access the requested server themselves, or
preview_as_rolesset with a role that can access the server