Reviewing Access Requests

Report an Issue

Is this page helpful?

How can we improve this page?

In this guide we will walk through two Access List-related Access Request use-cases.

• Access Requests for resources granted by an Access List
• Access Requests for resources requested by an Access List member

Prerequisites

• Teleport cluster with a connected resource e.g. an SSH node.
• Teleport user (admin in this guide) with an editor role to perform configuration.
• Teleport user (alice in this guide) acting as an Access Request reviewer.
• Teleport user (bob in this guide) acting as a low-privileged requester user.

Access Requests for resources granted by an Access List

Access List owners can be automatically assigned as suggested reviewers to resource-based Access Requests that include resources granted by their Access List.

How it works

We will create an Access List that grants users direct access to certain resources and allows its owners to review Access Requests to those resources.

Then, we will issue an Access Request to those resources to verify that the list owners are prepopulated as suggested reviewers and that the request can be promoted to long-term access via the Access List.

Step 1/5. Create roles

As an admin user, let's create 3 roles:

• Role that grants access to SSH nodes with a label env:prod
• Role that allows users to request access to SSH nodes with that label
• Role that allows users to review Access Requests for SSH nodes with that label

The ssh-access role allows access to SSH nodes with the label env: prod:

kind: role
version: v8
metadata:
  name: ssh-access
spec:
  allow:
    logins:
    - ubuntu
    node_labels:
      'env': 'prod'

The ssh-access-requester role allows to request access to such SSH nodes:

kind: role
version: v8
metadata:
  name: ssh-access-requester
spec:
  allow:
    request:
      search_as_roles:
      - ssh-access

The ssh-access-reviewer role allows to review such Access Requests:

kind: role
version: v8
metadata:
  name: ssh-access-reviewer
spec:
  allow:
    review_requests:
      roles:
      - ssh-access
      preview_as_roles:
      - ssh-access

Step 2/5. Assign requester role

As an admin user, assign the ssh-access-requester role to bob.

This role will allow bob to issue Access Requests to SSH nodes with env: prod labels.

Step 3/5. Create an Access List

Now, as an admin user, let's create an Access List that grants access to the SSH nodes (via ssh-access member role grant) and allows its owners to review requests to these SSH nodes (via ssh-access-reviewer owner role grant).

On the Identity Governance / Access Lists web UI page select "Create New Access List" and create a new one with the following parameters:

• List name: SSH Access
• Permissions granted to list owners: ssh-access-reviewer
• Permissions granted to list members: ssh-access
• List owner: alice

You can fill out the rest of the parameters as desired.

Step 4/5. Submit an Access Request

Once you log into Teleport as bob, you should be able to see your SSH node(-s) as requestable resources.

On the Access Request checkout dialog, you should see that alice has been prepopulated as a suggested reviewer because she is an owner of the access list that grants access to the requested SSH node.

Submit the request.

Step 5/5. Review the Access Request

Once the request is submitted, log in as alice and go to the Identity Governance / Access Requests page to see bob's pending request and review it:

Because access to the requested SSH node can be granted by the "SSH Access" list, alice has the option to promote the request to long-term access via the Access List to grant direct access to the SSH node.

That's it! alice as an owner of the "SSH Access" list has successfully reviewed bob's request to an SSH node that's granted by her Access List.

Access Requests for resources requested by an Access List member

Access List owners can also be automatically assigned as suggested reviewers to resource-based Access Requests where the requester is granted permission to request the resource via Access List membership and the owner has permission to review requests for the resource.

How it works

We will create an Access List that grants users the ability to request access to certain resources and allows its owners to review those requests.

We will make the requester a member of the Access List.

Then, we will issue an Access Request to those resources to verify that the list owner is prepopulated as a suggested reviewer and that the request can be reviewed by the owner.

Step 1/5. Create roles

As an admin user, let's create 3 roles:

• Role that grants access to SSH nodes with a label env:prod
• Role that allows users to request access to those SSH nodes
• Role that allows users to review those Access Requests

The ssh-member-access role allows access to SSH nodes with the label env: prod:

kind: role
version: v8
metadata:
  name: ssh-member-access
spec:
  allow:
    logins:
    - ubuntu
    node_labels:
      'env': 'prod'

The ssh-member-requester role allows users to request access to SSH nodes using the ssh-member-access role:

kind: role
version: v8
metadata:
  name: ssh-member-requester
spec:
  allow:
    request:
      search_as_roles:
      - ssh-member-access
      roles:
      - ssh-member-access

The ssh-member-reviewer role allows users to review Access Requests for the ssh-member-access role:

kind: role
version: v8
metadata:
  name: ssh-member-reviewer
spec:
  allow:
    review_requests:
      roles:
      - ssh-member-access
      preview_as_roles:
      - ssh-member-access

Step 2/5. Create an Access List

As an admin user, create an Access List.

The ssh-member-access-list grants its members the ability to request access to SSH nodes (via ssh-member-requester member role grant) and its owners the ability to review those requests (via ssh-member-reviewer owner role grant):

kind: access_list
version: v1
metadata:
  name: ssh-member-access-list
spec:
  title: "SSH Member Access"
  description: "Access List for membership-based Access Request reviews"
  owners:
    - name: alice
      description: "Access list owner"
  grants:
    roles:
      - ssh-member-requester
  owner_grants:
    roles:
      - ssh-member-reviewer

Step 3/5. Add the requester as a member of the Access List

Next, add bob as a member of ssh-member-access-list:

tctl acl users add ssh-member-access-list bob

Once bob is a member of the ssh-member-access-list, the ssh-member-requester role will be granted, allowing bob to request access to SSH nodes with the env: prod label.

Step 4/5. Submit an Access Request

Once you log into Teleport as bob, you should be able to see the SSH nodes with the env: prod label as requestable resources.

On the Access Request checkout dialog, you should see that alice has been prepopulated as a suggested reviewer because she is an owner of the Access List, has review permission for requests to those resources, and bob's membership grants the ability to request them.

Submit the request.

Step 5/5. Review the Access Request

Once the request is submitted, log in as alice and go to the Identity Governance / Access Requests page to see bob's pending request and review it:

Because alice is an owner of ssh-member-access-list, she has been granted the ssh-member-reviewer role, which allows her to review requests for the ssh-member-access role.

That's it! alice as an owner of the ssh-member-access-list list has successfully reviewed bob's resource Access Request for an SSH node.

Next steps

• Learn more about Resource Access Requests.

Was this page helpful?

How can we improve this page?