Teleport 16: Advancing Infrastructure Defense in Depth with Device Trust, MFA, and VNET
Jul 25
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

Teleport Policy Usage

Policy use with the Access Graph provides a framework for visualizing and managing access controls across an organization’s infrastructure.

This interface allows administrators to quickly identify and address potential security risks, such as overly broad permissions or conflicting roles, ensuring that access is granted on principles of least privilege.

How to use Policy with Access Graph

Teleport Access Graph can help you to answer questions like:

  • Who can access a specific resource?

Determine who has access to resources and understand the pathways that grant access:

  • What resources can a specific user access?

At a glance, you can view all the resources a user can access:

The left hand side menu contains the main navigation options:

  • Graph view Graph view
  • Search Search view
  • SQL editor Query editor
  • Integrations Connection view

Graph View

Graph view is the main view that shows the connections between identities and resources. By default, an aggregated view of access paths grouped by identity is showed.

To search for a graph node, use the search bar at the top of the page or the search icon on the right hand side:

You can then search through all node types and all imported entities.

Graph nodes

Teleport Access Graph divides your infrastructure into six main components:

  1. Identities
Identity Node

Identities are the actors that can access your infrastructure. They can be employees, contractors, machines or bots.

The number on the right hand side shows "standing privileges". Standing privileges is the number of resources that an identity can access without creating an access request.

  1. User Groups
Identity Group Node

Identity Groups are collections of identities. They can be used to organize users based on their role or team, and they can be nested.

  1. Actions
Action Node

Actions are the things that identities can or cannot do. Actions are related to resources. For example, a user can SSH into a node.

  1. Deny Actions
Deny Action Node

Deny Actions are the things that identities cannot do. Deny Actions are related to resources. For example, a user cannot SSH into a node.

  1. Resource Groups
Resource Group Node

Resource Groups are collections of resources. They can be used to organize resources based on their role or team.

The number on the right hand side shows the number of resources that a resource group contains.

  1. Resources
Resource Node

Resources are the things that users can or cannot access. They can be servers, databases, or Kubernetes clusters.

SQL Editor

Access Graph allows creating SQL like queries to explore the graph.

The query language allows to create different views of the graph, ex:

Show only allowed paths:

SELECT * FROM access_path WHERE kind = 'ALLOWED';

Show only denied paths:

SELECT * FROM access_path WHERE kind = 'DENIED';

Show all access paths for a user:

SELECT * FROM access_path WHERE identity = 'bob';

Show all access paths for a user AND a resource:

SELECT * FROM access_path WHERE identity = 'bob' AND resource = 'postgres';

Show all access paths for resources with specific labels:

SELECT * FROM access_path WHERE resource_labels @> '{"key": "value"}';

More actionable examples is available under ? icon.