Skip to main content
Version: 17.x (unreleased)

Nested Access Lists

Nested Access Lists allow inclusion of an Access List as a member or owner of another Access List. This enables hierarchical permission structures where permissions can be inherited from multiple levels of parent Access Lists.

This guide will help you:

  • Understand how nesting and inheritance work in Access Lists
  • Create a nested Access List
  • Verify inherited permissions granted through the nested Access List

How it works

Let's break down inheritance in Access Lists. Imagine two Access Lists you might have in an organization: "Engineering Team" and "Production Access". "Engineering Team" represents a group of engineers, while "Production Access" is a higher-level Access List that grants access to production resources.

  • Membership Inheritance: If "Engineering Team" is added as a member of "Production Access", all users who are members of "Engineering Team" inherit member grants (roles and traits) from "Production Access".
  • Ownership Inheritance: If "Engineering Team" is added as an owner of "Production Access", all users who are members of "Engineering Team" inherit owner grants (roles and traits) from "Production Access", and can perform owner actions, such as modifying it or managing its members.

Inheritance is recursive – members of "Engineering Team" can themselves be Access Lists with their own members, and so on. However, circular nesting is not allowed, and nesting is limited to a maximum depth of 10 levels.

For more information, see the Access Lists reference.

Prerequisites

  • A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example: 
    $ tsh login --proxy=teleport.example.com [email protected]
    $ tctl status
    # Cluster  teleport.example.com
    # Version  17.0.0-dev
    # CA pin   sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
  • A user with the default editor role or equivalent permissions (ability to read, create, and manage Access Lists).
  • Familiarity with basic Access List concepts (see the Getting Started with Access Lists guide).
  • At least one user with only the requester role to add to the Access List.
  • At least one application or resource to grant access to.

Let's walk through creating a nested Access List and establishing inheritance. In this example, we'll create a child Access List, "Engineering Team", which inherits permissions from a parent, "Production Access".

Step 1/3. Create child Access List

In the Teleport Web UI, go to the "Identity" tab and select "Access Lists" from the sidebar. Click on "Create New Access List", and fill in the details:

  • Title: Engineering Team
  • Deadline for First Review: Select a future date.
  • Member Grants: Leave this empty, as the list will inherit the parent's member grants.
  • Owners: Add yourself or any appropriate users as owners.
  • Members: Add users who should be part of this Access List, such as test-user.

Click "Create Access List" to save the Access List.

Step 2/3. Create parent Access List

From the "Access Lists" page, click on "Create New Access List" and fill in the details for our parent list:

  • Title: Production Access
  • Deadline for First Review: Select a future date.
  • Member Grants: Add the access role.
  • Owners: Add yourself or any appropriate users as owners.
  • Members: Select our child Access List, 'Engineering Team', from the dropdown.

Click "Create Access List" to save the Access List.

Step 3/3. Verifying inherited permissions

To confirm that members of "Engineering Team" have inherited member grants from "Production Access", log in as a user who is a member of the child Access List (e.g., test-user). Verify that the user now has access to resources granted by both "Engineering Team" and "Production Access". For example, if a Teleport Application Service instance with the debugging application enabled is set up, and the access role is granted through "Production Access", the "dumper" app should be visible to the user.

Next Steps