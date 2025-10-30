Version: 18.x

Step 3 - Set Up Access Controls

Teleport uses Role-Based Access Control (RBAC) to determine who can access what across your infrastructure.

Every Teleport user is assigned one or more roles. These roles define the user's permissions, such as:

What infrastructure resources they can access

Whether they can request temporary access

Whether they can edit cluster settings or view session recordings

You can assign roles when creating users or manage them later in the Teleport Web UI.

You were able to connect to your Ubuntu server in Step 2 because of the preset roles assigned to your user account when you created your cluster.

To see which roles you currently have:

In the Teleport Web UI, navigate to Zero Trust Access > Users Find your user, select Options > Edit Under User Roles, you'll see the roles assigned to you

You likely have at least the access and editor roles assigned. The access role is what granted you permission to SSH into your server.

Teleport includes several preset roles to help you get started:

Role Description access Grants access to infrastructure resources. editor Allows editing cluster configuration (e.g., roles, connectors). auditor Grants read-only access to audit logs, events, and session recordings.

View the full list of preset roles including Enterprise Role Description Enterprise-only access Allows access to cluster resources. editor Allows editing of cluster configuration settings. auditor Allows reading cluster events, audit logs, and playing back session records. access-plugin Enables self-hosted Access Request plugin features. list-access-request-resources Allows reading Access Request resources. requester Allows a user to create Access Requests. ✔ reviewer Allows review of Access Requests. ✔ group-access Allows access to all user groups. ✔ device-admin Used to manage trusted devices. ✔ device-enroll Used to grant device enrollment powers to users. ✔ require-trusted-device Requires trusted device access to resources. ✔ terraform-provider Allows the Teleport Terraform provider to configure all of its supported Teleport resources.

You can view all available roles by navigating to Zero Trust Access > Roles in the Web UI.

Organizations often require custom roles to enforce least-privilege access and follow internal security policies. By creating custom roles, you can align Teleport's access controls with your company's structure and security policies.

For instructions on creating custom roles and assigning roles to users, follow along with our Getting Started with Teleport Access Controls demo guide.

For mapping SSO users to roles, refer to our guide on Configuring Single Sign-On for more information.

In the final step of the Getting Started guide, we'll cover how to monitor activity and use audit logs to strengthen security and ensure compliance.