Access Plane

Just-in-time Access Requests

Teleport Just-in-time Access Requests allows any developer to request access to a resource or role depending on need. The request can then be approved or denied via Slack, PagerDuty, or other ChatOps tools based on a configurable number of approvers.
clicking approve for access
Terminal
# Role Based Access Request
$ tsh request create --roles=dba \
  [email protected],[email protected] --reason="ticket #123"

# Just-in-Time Access Request
$ tsh ssh [email protected]
ERROR: access denied to root connecting to db-1 on cluster cluster-one

You do not currently have access to [email protected], attempting to request access.

Enter request reason: responding to incident 123
Creating request...

# Alice
$ tsh request list

# Output
ID                                   User             Roles   Created (UTC)       Status
------------------------------------ ---------------  ------- ------------------- -------
9c721e54-b049-4ef8-a7f6-c777aa066764 [email protected]  dba 03 Apr 21 03:58 UTC PENDING

$ tsh request review --approve --reason="proceed with caution" 9c721e54-b049-4ef8-a7f6-c777aa066764


Terminal
$ tsh request create --roles=dba \
  [email protected],[email protected] --reason="ticket #123"

# Alice
$ tsh request review --approve --reason="proceed with caution"

# Ivan
$ tsh request review --approve --reason="granted."
Terminal
# use your favorite programming language
def process_request(req):
  #  grant admin only on registered computers
  if req.roles.contains("admin") and registered_computer(req.user):
      raise AccessDenied("use registered computer for privileged access")
  # contractors should provide a valid ticket
  if req.traits['team'] == "contractor" && not jira.get_ticket(req.note):
      raise AccessDenied("provide an active JIRA ticket")

Access Requests using Existing Tools

Approve access requests using the tools you already have, such as Slack, PagerDuty, and others. This allows security teams to approve or deny requests quickly and avoids frustration for engineers who need to get the job done.

Approvals do not have to be done manually. Implement your own access approval logic with Teleport API using your favorite programming language.

Approve access requests
Access Requests Flow
To learn more about access requests, take a look at Teleport Documentation.
request role access screen
STEP 1

Bob can select the resources he needs to access or request the dbadmin role in the Web UI or CLI.

Teleport Slackbot notification
STEP 2

Chatbot will notify both Alice and Ivan.

approved access request screen
STEP 3

Alice and Ivan can review and approve request using Web UI or CLI.

  • Teleport allows us to comply with the regulatory hurdles that come with running an international stock exchange. The use of bastion hosts, integration with our identity service and auditing capabilities give us a compliant way to access our internal infrastructure.

    Brendan Germain

    Systems Reliability Engineer, Nasdaq

  • Teleport has made obtaining a FedRAMP-Moderate ATO that much more achievable via their FIPS 140-2 endpoints, ease in integration with our SSO and MFA , and the view into audit logs of remote connection sessions provide the appropriate insight for Continuous Monitoring.

    Jeff Gill

    Senior Director of Engineering, SumoLogic

Access Requests Demo Video

Watch our demo highlighting how team members can request access to new and elevated roles. This feature is available from the CLI or the browser. Users can add reasons to requests and get these requests sent to Slack. This video features using access requests for Kubernetes and all requests are captured using the Teleport Audit log.

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs