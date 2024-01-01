Version: 18.x (unreleased)

Access Monitoring Rule Reference

Access Monitoring Rules allow administrators to monitor Access Requests and apply notification routing rules or automatic review rules based on specific conditions.

An Access Monitoring Rule can configure both a notification routing rule and an automatic review rule, or it can contain only one.

An Access Monitoring Rule is a dynamic Teleport resource with a structure similar to the following:

kind: access_monitoring_rule version: v1 metadata: name: example_rule spec: subjects: - access_request condition: |- contains_all(set("access", "editor"), access_request.spec.roles) && contains_any(user.traits["team"], set("dev", "stage")) desired_state: reviewed automatic_review: integration: builtin decision: APPROVED notification: name: email recipients: - [email protected]

Administrators can use Access Monitoring Rules to route notifications to an external notification system.

To list the names of available hosted integrations you can use the following command:

tctl get plugins Name Status ------------- ----------- datadog RUNNING email RUNNING slack-default RUNNING

If no integrations are listed, enroll a plugin first. For a step by step guide on how to enroll a plugin see Access Request Plugins.

The accepted values for the recipients field depend on the selected notification system.

If the following rule is configured, then any time an Access Request for the access role is created, a notification will be sent to the #teleport-access Slack channel.

kind: access_monitoring_rule version: v1 metadata: name: slack-notifications spec: subjects: - access_request condition: contains_any(access_request.spec.roles, set("access")) notification: name: slack-default recipients: - teleport-access

Administrators can configure Access Monitoring Rules to automatically review an Access Request when conditions are met.

To enable automatic reviews, set spec.desired_state to reviewed and define automatic_review .

The automatic_review.decision option can be either APPROVED or DENIED .

Automatic reviews behave like regular reviews. They do not directly change the state of the request and respect the required review thresholds.

If multiple automatic review rules match an Access Request, DENIED rules take precedence.

If the following rule is configured, then any time an Access Request for the access role is created by a user with the team: sre trait, it will be automatically approved.

kind: access_monitoring_rule version: v1 metadata: name: sre-automatic-approval spec: subjects: - access_request condition: |- contains_all(set("access"), access_request.spec.roles) && contains_any(user.traits["team"], set("sre")) desired_state: reviewed automatic_review: integration: builtin decision: APPROVED

The condition field is a predicate expression that evaluates to a boolean value and determines which Access Requests the rule applies to.

Accepted fields within the condition predicate expression:

Field Description access_request.spec.roles The set of roles requested. access_request.spec.suggested_reviewers The set of reviewers specified in the request. access_request.spec.system_annotations A map of system annotations on the request. access_request.spec.user The requesting user. access_request.spec.request_reason The request reason. access_request.spec.creation_time The creation time of the request. access_request.spec.expiry The expiry time of the request. user.traits A map of traits of the requesting user.

Examples:

condition: !is_empty(access_request.spec.roles) condition: access_request.spec.user == "example_user" condition: access_request.spec.roles.contains("example_role") condition: set("role_1", "role_2" ).contains_all(access_request.spec.roles) condition: contains_any(user.traits["team"], set("dev". "stage" ))

See Predicate Language for more details.

Access Monitoring Rules can be used with SSO users and attributes provided by the IdP.

For example, if the following GitHub SSO configuration is used, GitHub users in team example-team will be mapped to Teleport users with trait github_teams: example-team .

kind: github version: v3 metadata: name: github spec: teams_to_roles: - organization: example-org roles: - demo-access-request team: example-team ...

You can now create an Access Monitoring Rule that applies automatic reviews based on the github_teams trait:

kind: access_monitoring_rule version: v1 metadata: name: dev-automatic-approval spec: subjects: - access_request condition: |- contains_all(set("access"), access_request.spec.roles) && contains_any(user.traits["github_teams"], set("example-team")) desired_state: reviewed automatic_review: integration: builtin decision: APPROVED

Trait mapping depends on the SSO provider. For configuration instructions, see: Configure Single Sign-On

Access Monitoring Rules can be managed as infrastructure as code using Terraform. Here's an example resource definition:

resource "teleport_access_monitoring_rule" "example_rule" { version = "v1" metadata = { name = "example_rule" } spec = { subjects = [ "access_request" ] condition = "access_request.spec.roles.contains(\" example-role\ ")" desired_state = "reviewed" notification = { name = "slack" recipients = [ "example-channel" ] } automatic_review = { integration = "builtin" decision = "APPROVED" } } }

See Terraform Provider for more details.