Skip to main content

See permission changes with Access Graph Crown Jewels

Access Graph's Crown Jewel feature allows you to track changes to access for your most sensitive users or resources. When you mark a resource as a Crown Jewel, Teleport emits audit events any time access to that resource changes.

This guide shows you how to configure Crown Jewels, how to mark resources as Crown Jewels, and how to see permission changes for these resources.

Prerequisites

  • A running Teleport Enterprise cluster v16.2.0 or later.
  • For self-hosted clusters, an updated license.pem with Teleport Policy enabled.
  • For self-hosted clusters, a running Access Graph node v1.24.0 or later. Check Access Graph page for details on how to set up Access Graph.

Access Graph is a feature of the Teleport Policy product available to Teleport Enterprise edition customers.

After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found under the Permission Management section.

Required RBAC permissions

To create and view Crown Jewels, you need the following RBAC permissions:

kind: role
metadata:
name: crown-jewels-admin
spec:
allow:
rules:
- resources:
- crown_jewel
verbs:
- *
version: v7

Creating a Crown Jewel

To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources and users will be logged by Teleport Policy. To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab.

Create Page

Click on "Create Crown Jewel" and select the resource or user you want to mark as critical.

Create Selector

Pick a name for the Crown Jewel and click "Create".

Create Matcher Name

The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever access path to a resource or a user changes.

Viewing permission changes

To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab. Here you can see a list of all Crown Jewels and the changes that have been made to them.

Changes

The generated changes have a diff format showing removed nodes with "-" and added nodes with "+". Every time a change is made to a Crown Jewel, a new entry will be added to the list and an audit event will be generated in the Teleport Audit Log.

Audit events

Every time a change is made to a Crown Jewel, an audit event is generated in the Teleport Audit Log. Here is what an example audit event looks like:

{
"affected_resource_name": "bob",
"affected_resource_source": "TELEPORT",
"affected_resource_type": "teleport_node",
"change_id": "0110b3c4-d0b5-4af9-8585-aa49a064c85d",
"cluster_name": "ssh-node",
"code": "TAG001I",
"ei": 0,
"event": "access_graph.access_path_changed",
"time": "2024-09-20T19:50:38.194Z",
"uid": "5447d050-699a-4009-a901-ab8ed2614bc2"
}

You can export the audit event using the event handler. The setup is described here.