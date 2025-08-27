Getting Started With Access Controls
In Teleport, any local, SSO, or robot user can be assigned one or several roles. Roles govern access to databases, SSH servers, Kubernetes clusters, Windows desktops, and web apps.
We will start with local users and preset roles, assign roles to SSO users, and wrap up with creating your own role.
How it works
Teleport roles specify the permissions of a user for interacting with a Teleport cluster, with rules including the Teleport-protected infrastructure resources a user can access and the Teleport API resources a user can manage. When a user authenticates to Teleport, the TLS and SSH certificates they receive encode their roles.
Teleport components can then inspect the user's roles for the required permissions before completing an action. For example, the Teleport Auth Service authorizes a user before reading or writing API resources, and Teleport Agents authorize a user before routing traffic to an infrastructure resource.
When a user authenticates to Teleport with a single sign-on authentication connector, the user still receives TLS and SSH certificates that encode their roles. In this case, the Teleport Auth Service maps the user on the SSO identity provider to one or more Teleport roles using the configuration in the authentication connector.
Prerequisites
A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
The
tctland
tshclients.
Installing
tctland
tshclients
Determine the version of your Teleport cluster. The
tctland
tshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at
/v1/webapi/findand use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:TELEPORT_DOMAIN=teleport.example.com:443TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
Follow the instructions for your platform to install
tctland
tshclients:
- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctland
tshclients:curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg
In Finder double-click the
pkgfile to begin installation.danger
Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip
Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctland
tshclients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gztar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gzcd teleportsudo ./install
Teleport binaries have been copied to /usr/local/bin
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 19.0.0-dev
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
Best practices for production security
When running Teleport in production, you should adhere to the following best practices to avoid security incidents:
- Avoid using
sudoin production environments unless it's necessary.
- Create new, non-root, users and use test instances for experimenting with Teleport.
- Run Teleport's services as a non-root user unless required. Only the SSH
Service requires root access. Note that you will need root permissions (or
the
CAP_NET_BIND_SERVICEcapability) to make Teleport listen on a port numbered <
1024(e.g.
443).
- Follow the principle of least privilege. Don't give users
permissive roles when more a restrictive role will do.
For example, don't assign users the built-in
access,editorroles, which give them permissions to access and edit all cluster resources. Instead, define roles with the minimum required permissions for each user and configure Access Requests to provide temporary elevated permissions.
- When you enroll Teleport resources—for example, new databases or applications—you
should save the invitation token to a file.
If you enter the token directly on the command line, a malicious user could view
it by running the
historycommand on a compromised system.
You should note that these practices aren't necessarily reflected in the examples used in documentation. Examples in the documentation are primarily intended for demonstration and for development environments.
Step 1/3. Add local users with preset roles
Teleport provides several preset roles:
|Role
|Description
|Enterprise-only
access
|Allows access to cluster resources.
editor
|Allows editing of cluster configuration settings.
auditor
|Allows reading cluster events, audit logs, and playing back session records.
access-plugin
|Enables self-hosted Access Request plugin features.
list-access-request-resources
|Allows reading Access Request resources.
requester
|Allows a user to create Access Requests.
|✔
reviewer
|Allows review of Access Requests.
|✔
group-access
|Allows access to all user groups.
|✔
device-admin
|Used to manage trusted devices.
|✔
device-enroll
|Used to grant device enrollment powers to users.
|✔
require-trusted-device
|Requires trusted device access to resources.
|✔
terraform-provider
|Allows the Teleport Terraform provider to configure all of its supported Teleport resources.
- Teleport Community Edition
- Commercial
Invite the local user Alice as cluster
editor:
tctl users add alice --roles=editor
Invite the local user Alice as cluster
editor and
reviewer:
tctl users add alice --roles=editor,reviewer
Once Alice signs up, she will be able to edit cluster configuration. You can list
users and their roles using
tctl users ls.
- Teleport Community Edition
- Commercial
tctl users ls
User Roles
-------------------- --------------
alice editor
tctl users ls
User Roles
-------------------- --------------
alice editor, reviewer
You can update the user's roles using the
tctl users update command:
- Teleport Community Edition
- Commercial
Once Alice logs back in, she will be able to view audit logstctl users update alice --set-roles=editor,auditor
Once Alice logs back in, she will be able to view audit logstctl users update alice --set-roles=editor,reviewer,auditor
Because Alice has two or more roles, permissions from those roles create a union. She will be able to act as a system administrator and auditor at the same time.
Step 2/3. Map SSO users to roles
Next, follow the instructions to set up an authentication connector that maps users within your SSO solution to Teleport roles.
Teleport Enterprise
Create a SAML or OIDC application that Teleport can integrate with, then create an authentication connector that maps users within your application to Teleport roles.
- SAML
- OIDC
Follow our SAML Okta Guide to create a SAML application.
Save the file below as
okta.yaml and update the
acs field.
Any member in Okta group
okta-admin will assume a built-in role
admin.
kind: saml
version: v2
metadata:
name: okta
spec:
acs: https://tele.example.com/v1/webapi/saml/acs
attributes_to_roles:
- {name: "groups", value: "okta-admin", roles: ["access"]}
entity_descriptor: |
<?xml !!! Make sure to shift all lines in XML descriptor
with 4 spaces, otherwise things will not work
Create the
saml resource:
tctl create okta.yaml
Follow our OIDC guides to create an OIDC application.
Copy the YAML below to a file called
oidc.yaml and edit the information to
include the details of your OIDC application.
kind: oidc
metadata:
name: oidc_connector
spec:
claims_to_roles:
- claim: groups
roles:
- access
value: users
- claim: groups
roles:
- editor
value: admins
client_id: <CLIENT-NAME>
client_secret: <CLIENT-SECRET>
issuer_url: https://idp.example.com/
redirect_url: https://mytenant.teleport.sh:443/v1/webapi/oidc/callback
max_age: 24h
# pkce_mode determines if the OIDC authentication flow should include PKCE code verifiers. Options or `enabled`, `disabled`, and `` (defaults to disabled)
pkce_mode: "enabled"
client_redirect_settings:
# a list of hostnames allowed for HTTPS client redirect URLs
# can be a regex pattern
allowed_https_hostnames:
- remote.machine
- '*.app.github.dev'
- '^\d+-[a-zA-Z0-9]+\.foo.internal$'
# a list of CIDRs allowed for HTTP or HTTPS client redirect URLs
insecure_allowed_cidr_ranges:
- '192.168.1.0/24'
- '2001:db8::/96'
version: v3
Create the
oidc resource:
tctl create okta.yaml
Teleport Community Edition
Save the file below as
github.yaml and update the fields. You will need to
set up a
GitHub OAuth 2.0 Connector
app. Any member belonging to the GitHub organization
octocats and on team
admin will be able to assume the built-in role
access.
kind: github
version: v3
metadata:
# connector name that will be used with `tsh --auth=github login`
name: github
spec:
# client ID of GitHub OAuth app
client_id: client-id
# client secret of GitHub OAuth app
client_secret: client-secret
# This name will be shown on UI login screen
display: GitHub
# Change tele.example.com to your domain name
redirect_url: https://tele.example.com:443/v1/webapi/github/callback
# Map github teams to teleport roles
teams_to_roles:
- organization: octocats # GitHub organization name
team: admin # GitHub team name within that organization
# map github admin team to Teleport's "access" role
roles: ["access"]
Create the
github resource:
tctl create github.yaml
Step 3/3. Create a custom role
Let's create a custom role for interns. Interns will have access
to test or staging SSH servers as
readonly users. We will let them
view some monitoring web applications and dev kubernetes cluster.
Save this role as
interns.yaml:
kind: role
version: v8
metadata:
name: interns
spec:
allow:
# Logins configures SSH login principals
logins: ['readonly']
# Assigns users with this role to the built-in Kubernetes group "view"
kubernetes_groups: ["view"]
# Allow access to SSH nodes, Kubernetes clusters, apps or databases
# labeled with "staging" or "test"
node_labels:
'env': ['staging', 'test']
kubernetes_labels:
'env': 'dev'
kubernetes_resources:
- kind: "*"
api_group: "*"
namespace: "*"
name: "*"
verbs: ["*"]
app_labels:
'type': ['monitoring']
# The deny rules always override allow rules.
deny:
# deny access to any Node, database, app or Kubernetes cluster labeled
# as prod as any user.
node_labels:
'env': 'prod'
kubernetes_labels:
'env': 'prod'
kubernetes_resources:
- kind: "namespaces"
name: "prod"
db_labels:
'env': 'prod'
app_labels:
'env': 'prod'
Create a role using the
tctl create -f command:
tctl create -f /tmp/interns.yaml
Get a list of all roles in the systemtctl get roles --format text
You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.