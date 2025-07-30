Version: 19.x (unreleased)

You can use Teleport's role-based access control (RBAC) system to set up granular permissions for authenticating to Linux servers connected to Teleport.

An example of a policy could be, Server administrators have access to everything, the QA team and engineers have full access to staging servers, and engineers can gain temporary access to production servers in case of emergency.

For a more general description of Teleport roles and examples see our Access Controls guides, as this section focuses on configuring RBAC for servers connected to Teleport.

Teleport's "role" resource provides the following instruments for restricting server access:

kind: role version: v5 metadata: name: developer spec: allow: logins: [ ubuntu , debian , '{{internal.logins}}' ] node_labels: 'env': 'test' '*': '*' 'region': [ 'us-west-1' , 'eu-central-1' ] 'reg': '^us-west-1|eu-central-1$' host_groups: [ ubuntu , nginx , other ] host_sudoers: - 'ALL=(ALL) NOPASSWD: ALL' deny: logins: - root

Deny Rules Deny rules will match greedily. In the example above, a server session attempting to use the "root" server user account will be rejected.

Similar to role fields for accessing other resources in Teleport, server-related fields support template variables.

Variables with the format {{external.xyz}} are replaced with values from external SSO providers. For OIDC logins, {{external.xyz}} refers to the "xyz" claim; for SAML logins, {{external.xyz}} refers to the "xyz" assertion.

For example, here is what a role may look like if you want to assign allowed server environment types and allowed logins from the user's Okta environments and allowedlogins assertions:

spec: allow: node_labels: - env: '{{external.environments}}' logins: - '{{external.allowedlogins}}'

The {{internal.logins}} variable applies to local users and works with Teleport trusted clusters. Trusted clusters allow connecting from a root Teleport cluster to resources connected to other Teleport clusters. Those Teleport clusters, identified as leaf clusters, allow the connection by trusting the root Teleport cluster.

For example, suppose a user in the root cluster has the following role. As a local user they could have the logins trait of jeff so they have two logins, jeff and ubuntu .

spec: allow: logins: [ '{{internal.logins}}' , ubuntu ]

The role on the leaf cluster can be set up to use the user's allowed server accounts and names. The leaf cluster will then include the same logins allowed from the root cluster when the {{internal.logins}} template variable is used.

spec: allow: logins: [ " {{internal.logins}} " ]

For full details on how variable expansion works in Teleport roles, see the Access Controls Reference.

The allow and deny sections described above are used for controlling the servers and logins allowed. Role options provide the Teleport features available for users with the specified role. These options apply to Server access.