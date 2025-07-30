Version: 19.x (unreleased)

Crown Jewels

Access Graph's Crown Jewel feature allows you to track changes to access for your most sensitive users or resources. When you mark a resource as a Crown Jewel, Teleport emits audit events any time access to that resource changes.

This guide shows you how to configure Crown Jewels, how to mark resources as Crown Jewels, and how to see permission changes for these resources.

tip For an improved experience, we recommend using Crown Jewels in conjunction with Teleport local users or integrating with Okta or Microsoft Entra ID. This setup helps minimize the number of access path change entries generated when highly privileged ephemeral users log in via Teleport Auth Connectors.

A running Teleport Enterprise cluster v16.2.0 or later.

For self-hosted clusters, an updated license.pem with Teleport Identity Security enabled.

with Teleport Identity Security enabled. For self-hosted clusters, a running Access Graph node v1.24.0 or later. Check Access Graph page for details on how to set up Access Graph.

Access Graph is a feature of the Teleport Identity Security product available to Teleport Enterprise edition customers.

To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI, click the Policy sidebar button, and then the Browse menu item. Identities, resources, etc. should be listed.

To create and view Crown Jewels, you need the following RBAC permissions:

kind: role metadata: name: crown-jewels-admin spec: allow: rules: - resources: - crown_jewel verbs: - * version: v7

To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources and users will be logged by Identity Security. To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab.

Click on "Create Crown Jewel" and select the resource or user you want to mark as critical.

Pick a name for the Crown Jewel and click "Create".

The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever access path to a resource or a user changes.

To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab. Here you can see a list of all Crown Jewels and the changes that have been made to them.

The generated changes have a diff format showing removed nodes with "-" and added nodes with "+". Every time a change is made to a Crown Jewel, a new entry will be added to the list and an audit event will be generated in the Teleport Audit Log.

Every time a change is made to a Crown Jewel, an audit event is generated in the Teleport Audit Log. Here is what an example audit event looks like:

{ "affected_resource_name" : "bob" , "affected_resource_source" : "TELEPORT" , "affected_resource_type" : "teleport_node" , "change_id" : "0110b3c4-d0b5-4af9-8585-aa49a064c85d" , "cluster_name" : "ssh-node" , "code" : "TAG001I" , "ei" : 0 , "event" : "access_graph.access_path_changed" , "time" : "2024-09-20T19:50:38.194Z" , "uid" : "5447d050-699a-4009-a901-ab8ed2614bc2" }

You can export the audit event using the event handler. The setup is described here.