Application Access Role-Based Access Control
This article describes Access Control concepts particularly relevant to Teleport Application Access.
Assigning labels to applications
Teleport Application Access uses labels to control access to the proxied web applications.
Teleport administrators can assign static and dynamic labels to apps using configuration:
apps:
- name: "grafana"
uri: "http://localhost:3000"
# Static labels.
labels:
env: "prod"
group: "metrics"
# Teleport periodically executes commands in dynamic labels and uses the
# commands output in label values.
commands:
- name: "arch"
command: ["uname", "-p"]
period: 1m0s
Configuring application labels in roles
Teleport administrators can configure roles to allow or deny users' access to
applications with specific labels using app_labels property.
For example, this role will grant access to all applications from the group "metrics", except for the production ones:
kind: role
version: v4
metadata:
name: dev
spec:
allow:
app_labels:
group: "metrics"
deny:
app_labels:
env: "prod"
Integrating with identity providers
You can configure roles to populate app labels dynamically based on the user's
claims and attributes received from identity providers. This is done by using
template variables with external prefix.
For example, this role will have its env and group label values set after
the Okta user's attributes with the same names:
allow:
app_labels:
env: "{{external.env}}"
group: "{{external.group}}"
Next steps
- View access controls Getting Started and other available guides.
- Learn about using JWT tokens to implement access controls in your application.
- Integrate with your identity provider: