Teleport
Teleport Policy Connections
Version preview- Older Versions
Teleport Access Graph shows the relationships between users, roles, and resources. It does this by showing paths between nodes. Paths are the relationships between nodes. Paths always connect nodes in the following order:
Connecting to resources
- Users
- User Groups
- Actions
- Resource Groups
- Resources
Graph paths can be divided into two categories:
- Allow paths
Allow paths connect identities to resources. They show what an identity can access and what actions they can perform.
- Deny paths
Deny paths connect identities to resources. They show what an identity cannot access and what actions they cannot perform. Deny paths take precedence over allow paths.
How resources and identities are represented
Access Graph imports all resources and identities from Teleport and keeps them up to date, so every time you make a change to your Teleport resources, the Access Graph will reflect those changes.
Identities
Users are created from Teleport Users. Local users are imported as soon as they are created. External users (created from authentication connectors for GitHub, SAML, etc.) are imported when they log in for the first time.
User Groups
User Groups are created from Teleport roles and Access Requests. Roles create User Groups where the members are the users that have that role. Access requests create a temporary User Group where the members are the users that got the access through the accepted access request.
Actions
Actions are created from Teleport roles. Actions can be divided into three categories:
- Allow Actions
Allow Actions are created from Teleport roles. Allow Actions are the things that users can do. For example, a user can SSH into a node.
- Deny Actions
Deny Actions are created from Teleport roles. Deny Actions are the things that users cannot do. For example, a user cannot SSH into a node. Deny Actions take precedence over Allow Actions.
- Temporary Actions
Temporary Actions are created when a user is granted temporary access to a resource.
They are automatically deleted when the user's access expires. The temporary actions
can be identified by having Temporary: true
property.
Resource Groups
Resource Groups are created from Teleport roles.
Resources
Resources are created from Teleport resources like nodes, databases, and Kubernetes clusters.
Next steps
- Uncover privileges, permissions, and construct SQL queries in Access Graph.