Desktop Access Role-Based Access Control

Teleport's RBAC allows administrators to set up granular access policies for Windows desktops connected to Teleport.

Teleport's role resource provides the following options for controlling desktop access:

kind: role
version: v4
metadata:
  name: developer
spec:
  options:
    # Specify whether or not to record the user's desktop sessions.
    # Desktop session recording is enabled if one or more of the user's
    # roles has enabled recording. Defaults to true if unspecified.
    # Desktop sessions will never be recorded if auth_service.session_recording
    # is set to 'off' in teleport.yaml or if the cluster's session_recording_config
    # resource has set 'mode: off'.
    record_sessions:
      desktop: true

    # Specify whether clipboard sharing should be allowed with the
    # remote desktop (requires a supported browser). Defaults to true
    # if unspecified. If one or more of the user's roles has disabled
    # the clipboard, then it will be disabled.
    desktop_clipboard: true
  allow:
    # Label selectors for desktops this role has access to.
    windows_desktop_labels:
      environment: ["dev", "stage"]

    # Windows user accounts this role can connect as.
    windows_desktop_logins: ["Administrator", "{{internal.windows_logins}}"]

Labeling

Both allow and deny rules support windows_desktop_labels selectors. These selectors are matched against the labels set on the desktop. It is possible to use wildcards ("*") to match all desktop labels.

Windows desktops acquire labels in two ways:

1. The host_labels rules defined in the windows_desktop_service section of your Teleport configuration file.
2. Automatic teleport.dev/ labels applied by Teleport (for desktops discovered via LDAP only)

For example, the following host_labels configuration would apply the environment: dev label to a Windows desktop named test.dev.example.com and the environment: prod label to desktop.prod.example.com:

host_labels:
  - match: '^.*\.dev\.example\.com$'
    labels:
      environment: dev
  - match: '^.*\.prod\.example\.com$'
    labels:
      environment: prod

For desktops discovered via LDAP, Teleport applies the following labels automatically:

Logins

The windows_desktop_logins role setting lists the Windows user accounts that the role permits access to. For local users, the {{internal.windows_logins}} variable can be used as a placeholder for the user's windows_logins trait. The windows_logins trait can be specified when the user is created with tctl users add alice --windows-logins=Administrator,DBUser.

New clusters automatically populate the preset access role with the following:

allow:
  windows_desktop_logins: ["{{internal.windows_logins}}"]

Clipboard Access

In order for a user to copy and paste between a remote desktop and their local workstation, clipboard sharing must be enabled for the user. The desktop_clipboard role option defaults to enabled if unspecified. To disable clipboard sharing for a Teleport user, ensure that they are assigned at least one role that explicitly disables clipboard sharing:

desktop_clipboard: false

Session Recording

In order for a Teleport user's desktop sessions to be recorded, the following must both be true:

• Session recording is enabled (i.e. not set to off) on the cluster. This setting resides in teleport.yaml under auth_service.session_recording, but can also be configured dynamically via the cluster's session_recording_config resource.
• The user's roles enable desktop session recording.

By default, desktop session recording is considered enabled in Teleport roles unless it is explicitly disabled:

record_sessions:
  desktop: false

In order to disable desktop session recording for a user, all of the user's roles must disable it. In other words, the presence of a single role which enables recording is enough to ensure sessions are recorded.