Step 3 - Set Up Access Controls
Teleport uses Role-Based Access Control (RBAC) to determine who can access what across your infrastructure.
Every Teleport user is assigned one or more roles. These roles define the user's permissions, such as:
- What infrastructure resources they can access
- Whether they can request temporary access
- Whether they can edit cluster settings or view session recordings
You can assign roles when creating users or manage them later in the Teleport Web UI.
Preset roles
You were able to connect to your Ubuntu server in Step 2 because of the preset roles assigned to your user account when you created your cluster.
To see which roles you currently have:
- In the Teleport Web UI, navigate to Zero Trust Access > Users
- Find your user, select Options > Edit
- Under User Roles, you'll see the roles assigned to you
You likely have at least the access and editor roles assigned. The access role is what granted you permission to SSH into your server.
Teleport includes several preset roles to help you get started:
| Role | Description |
|---|---|
access | Grants access to infrastructure resources. |
editor | Allows editing cluster configuration (e.g., roles, connectors). |
auditor | Grants read-only access to audit logs, events, and session recordings. |
View the full list of preset roles including Enterprise
| Role | Description | Enterprise-only |
|---|---|---|
access | Allows access to cluster resources. | |
editor | Allows editing of cluster configuration settings. | |
auditor | Allows reading cluster events, audit logs, and playing back session records. | |
access-plugin | Enables self-hosted Access Request plugin features. | |
list-access-request-resources | Allows reading Access Request resources. | |
requester | Allows a user to create Access Requests. | ✔ |
reviewer | Allows review of Access Requests. | ✔ |
group-access | Allows access to all user groups. | ✔ |
device-admin | Used to manage trusted devices. | ✔ |
device-enroll | Used to grant device enrollment powers to users. | ✔ |
require-trusted-device | Requires trusted device access to resources. | ✔ |
terraform-provider | Allows the Teleport Terraform provider to configure all of its supported Teleport resources. |
You can view all available roles by navigating to Zero Trust Access > Roles in the Web UI.
Custom roles
Organizations often require custom roles to enforce least-privilege access and follow internal security policies. By creating custom roles, you can align Teleport's access controls with your company's structure and security policies.
For instructions on creating custom roles and assigning roles to users, follow along with our Getting Started with Teleport Access Controls demo guide.
For mapping SSO users to roles, refer to our guide on Configuring Single Sign-On for more information.
Next steps
In the final step of the Getting Started guide, we'll cover how to monitor activity and use audit logs to strengthen security and ensure compliance.