Skip to main content
Version: 19.x (unreleased)

Nested Access Lists

Report an issue with this page

Nested Access Lists allow inclusion of an Access List as a member or owner of another Access List. This enables hierarchical permission structures where permissions can be inherited from multiple levels of parent Access Lists.

This guide will help you:

  • Understand how nesting and inheritance work in Access Lists
  • Create a nested Access List
  • Verify inherited permissions granted through the nested Access List

How it works

Let's break down inheritance in Access Lists. Imagine two Access Lists you might have in an organization: "Engineering Team" and "Production Access". "Engineering Team" represents a group of engineers, while "Production Access" is a higher-level Access List that grants access to production resources.

  • Membership Inheritance: If "Engineering Team" is added as a member of "Production Access", all users who are members of "Engineering Team" inherit member grants (roles and traits) from "Production Access".
  • Ownership Inheritance: If "Engineering Team" is added as an owner of "Production Access", all users who are members of "Engineering Team" inherit owner grants (roles and traits) from "Production Access", and can perform owner actions, such as modifying it or managing its members.

Inheritance is recursive – members of "Engineering Team" can themselves be Access Lists with their own members, and so on. However, circular nesting is not allowed, and nesting is limited to a maximum depth of 10 levels.

For more information, see the Access Lists reference.

Prerequisites

  • A running Teleport Enterprise (v17.0.1 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl and tsh clients.

    Installing tctl and tsh clients

    1. Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

      TELEPORT_DOMAIN=teleport.example.com:443
      TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"

    2. Follow the instructions for your platform to install tctl and tsh clients:

      Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients:

      curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg

      In Finder double-click the pkg file to begin installation.

      danger

      Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username: 
    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status
    Cluster  teleport.example.com
    Version  19.0.0-dev
    CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
  • A user with the default editor role or equivalent permissions (ability to read, create, and manage Access Lists).
  • Familiarity with basic Access List concepts (see the Getting Started with Access Lists guide).
  • At least one user with only the requester role to add to the Access List.
  • At least one application or resource to grant access to.

Let's walk through creating a nested Access List and establishing inheritance. In this example, we'll create a child Access List, "Engineering Team", which inherits permissions from a parent, "Production Access".

Step 1/3. Create child Access List

In the Teleport Web UI, go to the "Identity" tab and select "Access Lists" from the sidebar. Click on "Create New Access List", and fill in the details:

  • Title: Engineering Team
  • Deadline for First Review: Select a future date.
  • Member Grants: Leave this empty, as the list will inherit the parent's member grants.
  • Owners: Add yourself or any appropriate users as owners.
  • Members: Add users who should be part of this Access List, such as test-user.

Click "Create Access List" to save the Access List.

Step 2/3. Create parent Access List

From the "Access Lists" page, click on "Create New Access List" and fill in the details for our parent list:

  • Title: Production Access
  • Deadline for First Review: Select a future date.
  • Member Grants: Add the access role.
  • Owners: Add yourself or any appropriate users as owners.
  • Members: Select our child Access List, 'Engineering Team', from the dropdown.

Click "Create Access List" to save the Access List.

Step 3/3. Verifying inherited permissions

To confirm that members of "Engineering Team" have inherited member grants from "Production Access", log in as a user who is a member of the child Access List (e.g., test-user). Verify that the user now has access to resources granted by both "Engineering Team" and "Production Access". For example, if a Teleport Application Service instance with the debugging application enabled is set up, and the access role is granted through "Production Access", the "dumper" app should be visible to the user.

Next Steps