diff --git a/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx b/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx index cfb4d101bef3c..e88a9f8b2a5f2 100644 --- a/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx +++ b/docs/pages/admin-guides/teleport-policy/crown-jewels.mdx @@ -1,9 +1,9 @@ --- -title: See permission changes with Access Graph Crown Jewels -description: Describes how to use Access Graph Crown Jewels to see permission changes in Teleport. +title: See permission changes with Graph Explorer Crown Jewels +description: Describes how to use Graph Explorer Crown Jewels to see permission changes in Teleport. --- -Access Graph's Crown Jewel feature allows you to track changes to access for +Graph Explorer's Crown Jewel feature allows you to track changes to access for your most sensitive users or resources. When you mark a resource as a Crown Jewel, Teleport emits audit events any time access to that resource changes. @@ -23,14 +23,13 @@ log in via Teleport Auth Connectors. - A running Teleport Enterprise cluster v16.2.0 or later. - For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled. -- For self-hosted clusters, a running Access Graph node v1.24.0 or later. -Check [Access Graph page](teleport-policy.mdx) for details on -how to set up Access Graph. +- For self-hosted clusters, a running Graph Explorer node v1.24.0 or later. +Check [Graph Explorer page](teleport-policy.mdx) for details on how to set it up. -Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product +Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product available to Teleport Enterprise edition customers. -After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found +After logging in to the Teleport UI, navigate to the Management tab. If enabled, Graph Explorer options can be found under the Permission Management section. ## Required RBAC permissions @@ -55,7 +54,7 @@ version: v7 To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources and users will be logged by Teleport Policy. -To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab. +To mark a resource or user as Crown Jewel, open the Graph Explorer and navigate to the "Crown Jewels" tab. ![Create Page](../../../img/access-graph/crown-jewels/create-page.webp) @@ -67,13 +66,13 @@ Pick a name for the Crown Jewel and click "Create". ![Create Matcher Name](../../../img/access-graph/crown-jewels/create-matcher-name.webp) -The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create +The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Graph Explorer will now create audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever access path to a resource or a user changes. ## Viewing permission changes -To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab. +To view permission changes, open the Explorer and navigate to the "Crown Jewels" tab. Here you can see a list of all Crown Jewels and the changes that have been made to them. ![Changes](../../../img/access-graph/crown-jewels/changes.webp) diff --git a/docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx b/docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx index 5341c70af34b3..40e0c1fe114ed 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx @@ -1,12 +1,12 @@ --- title: Discover AWS Access Patterns with Teleport Policy -description: Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Access Graph. +description: Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Graph Explorer. --- Teleport Policy streamlines and centralizes access management across your entire infrastructure. You can view access relationships in seconds, viewing unified, up-to-date relationships and policies between all users, groups, and computing resources. -Teleport Policy with Access Graph offers insights into access patterns within your AWS account. By scanning IAM +Teleport Policy with Graph Explorer offers insights into access patterns within your AWS account. By scanning IAM permissions, users, groups, resources, and identities, it provides a visual representation and aids in enhancing the permission model within your AWS environment. This functionality enables you to address queries such as: @@ -14,18 +14,17 @@ enhancing the permission model within your AWS environment. This functionality e - Which resources can be reached via identities associated with EC2 instances? - What AWS resources can Teleport users access when connecting to EC2 nodes? -Utilizing the Access Graph to analyze IAM permissions within an AWS account necessitates the setup of the Access Graph (AG) +Utilizing the Graph Explorer to analyze IAM permissions within an AWS account necessitates the setup of the Graph Explorer (AG) service, a Discovery Service, and integration with your AWS account. -Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is +Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is available to Teleport Enterprise customers. -After logging in to the Teleport UI, go to the Management tab. If enabled, -Access Graph options can be found under the Permission Management section. +After logging in to the Teleport UI, go to the Management tab. If enabled, Explorer options can be found under the Permission Management section. ## How it works -Access Graph discovers AWS access patterns, synchronizes various AWS resources, +Graph Explorer discovers AWS access patterns, synchronizes various AWS resources, including IAM Policies, Groups, Users, User Groups, EC2 instances, EKS clusters, and RDS databases. These resources are then visualized using the graph representation detailed in the [Teleport Policy usage page](../policy-how-to-use.mdx). @@ -48,11 +47,11 @@ At intervals of 15 minutes, it retrieves the following resources from your AWS a - S3 Buckets Once all the necessary resources are fetched, the Teleport Discovery Service pushes them to the -Access Graph, ensuring that it remains updated with the latest information from your AWS environment. +Graph Explorer, ensuring that it remains updated with the latest information from your AWS environment. ### Importing resources -Teleport Policy’s Access Graph feature delves into the IAM policies, identities, +Teleport Policy’s Graph Explorer feature delves into the IAM policies, identities, and resources retrieved from your AWS account, crafting a graphical representation thereof. @@ -63,10 +62,10 @@ graphical representation thereof. - Teleport Policy enabled for your account. - For self-hosted clusters: - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. - - A running Access Graph node v1.17.0 or later. + - A running Graph Explorer node v1.17.0 or later. Check the [Teleport Policy page](../teleport-policy.mdx) for details on -how to set up Access Graph. - - The node running the Access Graph service must be reachable from the Teleport Auth Service. +how to set up Graph Explorer. + - The node running the Graph Explorer service must be reachable from the Teleport Auth Service. ## Step 1/2. Configure Discovery Service (Self-hosted only) @@ -95,16 +94,16 @@ it's possible to reuse it as long as the following requirements are met: - On step 2, you match the `discovery_group` with the existing Discovery Service's `discovery_group`. -- Access Graph service is reachable from the machine where Discovery Service runs. +- Graph Explorer service is reachable from the machine where Discovery Service runs. -## Step 2/2. Set up Access Graph AWS Sync +## Step 2/2. Set up Graph Explorer AWS Sync To initiate the setup wizard for configuring AWS Sync, access the Teleport UI, -navigate to the Management tab, and choose the Access Graph option within the +navigate to the Management tab, and choose the Graph Explorer option within the Permission Management section. -If both Teleport and Access Graph support AWS sync, you'll notice a new button -adjacent to the Access Graph navigation bar labeled `Analyze AWS IAM policies with Access Graph`. +If both Teleport and Graph Explorer support AWS sync, you'll notice a new button +adjacent to the Graph Explorer navigation bar labeled `Analyze AWS IAM policies with Graph Explorer`. You'll be prompted to create a new Teleport AWS integration if you haven't configured one already. Alternatively, you can opt for a previously established integration. diff --git a/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx b/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx index dd6d30a6c1243..51d98d938edd4 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx @@ -1,6 +1,6 @@ --- title: Analyze Entra ID policies with Teleport Policy -description: Describes how to import and visualize Entra ID policies using Teleport Policy and Access Graph. +description: Describes how to import and visualize Entra ID policies using Teleport Policy and Graph Explorer. --- The Microsoft Entra ID integration in Teleport Identity synchronizes your Entra ID directory into your Teleport cluster, @@ -27,7 +27,7 @@ At intervals of 5 minutes, it retrieves the following resources from your Entra Entra ID users and groups are imported into Teleport as users and Access Lists respectively. Once all the necessary resources are fetched, Teleport pushes them to the -Access Graph, ensuring that it remains updated with the latest information. +Graph Explorer, ensuring that it remains updated with the latest information. These resources are then visualized using the graph representation detailed in the [Teleport Policy usage page](../policy-how-to-use.mdx). @@ -37,16 +37,16 @@ These resources are then visualized using the graph representation detailed in t - Teleport Identity and Teleport Policy enabled for your account. - For self-hosted clusters: - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. - - A running Access Graph node v1.21.3 or later. + - A running Graph Explorer node v1.21.3 or later. Check the [Teleport Policy page](../teleport-policy.mdx) for details on -how to set up Access Graph. - - The node running the Access Graph service must be reachable from the Teleport Auth Service. +how to set up Graph Explorer. + - The node running the Graph Explorer service must be reachable from the Teleport Auth Service. - Your user must have privileged administrator permissions in the Azure account - For OIDC setup, the Teleport cluster must be publicly accessible from the internet. - For air gapped clusters, `tctl` must be v16.4.7 or later. -To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab. -If enabled, the Access Graph menu item will appear in the Permission Management section. +To verify that Graph Explorer is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab. +If enabled, the Graph Explorer menu item will appear in the Permission Management section. ## Step 1/3. Choose a setup method @@ -232,7 +232,7 @@ For clusters running in multiplex mode, this address will be the same as your pr If your Teleport license does not include [Teleport Policy](../teleport-policy.mdx), include the `--no-access-graph` flag. ```code -# Disable Access Graph integration if your license supports Teleport Policy with --no-access-graph flag. +# Disable Graph Explorer integration if your license supports Teleport Policy with --no-access-graph flag. $ tctl plugins install entraid \ --default-owner= \ --default-owner=someOtherOwner@teleport.sh \ @@ -518,7 +518,7 @@ Currently, when using manual mode, it is not possible to operate without the `-- ```code -# enable Access Graph integration if your license supports Teleport Policy. +# enable Graph Explorer integration if your license supports Teleport Policy. $ tctl plugins install entraid \ --default-owner= \ --default-owner=someOtherOwner@teleport.sh \ @@ -534,14 +534,13 @@ Follow the detailed instructions provided by the `tctl plugins install entraid` -## Step 3/3. Analyze Entra ID directory in Teleport Access Graph +## Step 3/3. Analyze Entra ID directory in Graph Explorer Shortly after the integration onboarding is finished, -your Entra ID directory will be imported into your Teleport cluster and Access Graph. +your Entra ID directory will be imported into your Teleport cluster and Graph Explorer. -You can find Entra ID users and groups in the Access Graph UI. If you have Entra ID SSO set up for your AWS accounts, -and the AWS accounts have been connected to Teleport, -Access Graph will also show access to AWS resources granted to Entra ID identities. +You can find Entra ID users and groups in the Explorer UI. If you have Entra ID SSO set up for your AWS accounts, +and the AWS accounts have been connected to Teleport, Graph Explorer will also show access to AWS resources granted to Entra ID identities. In the following example, Bob is assigned to group `AWS-Engineers` in Entra ID. This allows him to use SSO to assume the AWS IAM role `Engineers`, diff --git a/docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx b/docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx index 3a25ef7ad225f..3531e1db8c541 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx @@ -1,26 +1,26 @@ --- title: Discover GitLab Access Patterns with Teleport Policy -description: Describes how to synchronize GitLab access patterns using Teleport Policy and Access Graph. +description: Describes how to synchronize GitLab access patterns using Teleport Policy and Graph Explorer. --- -With Teleport Policy's Access Graph, you gain insights into access patterns within your GitLab account. By scanning all +With Teleport Policy's Graph Explorer, you gain insights into access patterns within your GitLab account. By scanning all permissions, users, groups, and projects, it provides a visual representation to help enhance the permission model within your GitLab environment. This functionality enables you to answer queries such as: - What projects are accessible to users? - Which users have write permissions to projects? -Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product +Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product available to Teleport Enterprise edition customers. -After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found +After logging in to the Teleport UI, navigate to the Management tab. If enabled, Graph Explorer options can be found under the Permission Management section. ## How it works -Access Graph synchronizes various GitLab resources, including users, projects and groups. +Graph Explorer synchronizes various GitLab resources, including users, projects and groups. These resources are then visualized using the graph representation detailed in the -[Access Graph page](../teleport-policy.mdx). +[Graph Explorer page](../teleport-policy.mdx). The importing process involves two primary steps: @@ -35,11 +35,11 @@ The Teleport cluster continuously scans the configured GitLab accounts and retri - Project memberships Once all the necessary resources are fetched, Teleport pushes them to the -Access Graph, ensuring that it remains updated with the latest information from your GitLab instance. +Graph Explorer, ensuring that it remains updated with the latest information from your GitLab instance. ### Importing resources -Teleport Policy’s Access Graph feature delves into the resources imported and their relationships, crafting a +Teleport Policy’s Graph Explorer feature delves into the resources imported and their relationships, crafting a graphical representation thereof. @@ -50,10 +50,10 @@ graphical representation thereof. - A GitLab instance running GitLab v9.0 or later. - For self-hosted clusters: - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. - - A running Access Graph node v1.21.4 or later. + - A running Graph Explorer node v1.21.4 or later. Check the [Teleport Policy page](../teleport-policy.mdx) for details on -how to set up Access Graph. - - The node running the Access Graph service must be reachable from the Teleport Auth Service. +how to set up Graph Explorer. + - The node running the Graph Explorer service must be reachable from the Teleport Auth Service. ## Step 1/3. Create GitLab token @@ -82,21 +82,21 @@ The importer will use this token to fetch the necessary resources from your GitL The token will be used in the next step to configure the GitLab Sync integration. -## Step 2/3. Set up Access Graph GitLab Sync +## Step 2/3. Set up Graph Explorer GitLab Sync To initiate the setup wizard for configuring GitLab Sync, access the Teleport UI, -navigate to the Management tab, and choose the Access Graph option within the +navigate to the Management tab, and choose the Graph Explorer option within the Permission Management section. -In the Access Graph page, you'll notice a button labeled `Integrations`. Click on it to +In the Graph Explorer page, you'll notice a button labeled `Integrations`. Click on it to to access the Integrations page. On the Integrations page, click on the `Setup` button next to the GitLab integration. You'll be prompted to provide the GitLab token created in Step 1 and the GitLab instance domain. -Once the token is successfully validated, you'll be able to see the resources imported in Access Graph. +Once the token is successfully validated, you'll be able to see the resources imported in Graph Explorer. -## Step 3/3. View GitLab resources in Access Graph +## Step 3/3. View GitLab resources in Graph Explorer -After the GitLab resources are imported, you can view them in the Access Graph page. +After the GitLab resources are imported, you can view them in the Graph Explorer page. The graph representation will show the relationships between users, groups, and projects within your GitLab instance. Users can have permissions to access a Group or Project. When a user has access to a Group, they inherit permissions @@ -107,7 +107,7 @@ You can view the permissions granted to users, groups, and projects by clicking For example, to view the permissions granted to a user, click on the user node and select `View Access` from the context menu. This will display the permissions granted to the user and the resources they have access to. -You can also run queries to fetch specific information from the Access Graph, such as: +You can also run queries to fetch specific information from the Graph Explorer, such as: ### Fetch All Projects Accessible to a User @@ -136,7 +136,7 @@ SELECT * FROM access_path WHERE "resource" = '' AND source ## Troubleshooting -After setting up the GitLab integration, you can monitor the import process status on the Access Graph's Integrations page. +After setting up the GitLab integration, you can monitor the import process status on the Graph Explorer's Integrations page. If the import fails, an error message will help identify the issue. You can also check whether the import process is currently running or has completed successfully by viewing the status. @@ -147,5 +147,5 @@ and that the token is valid. If the token has expired, you'll need to create a n If you encounter any other issues, please ensure that the Teleport cluster can reach the GitLab instance and that the GitLab APIs are accessible. -If you're still facing issues, please inspect the error log on the Access Graph's Integrations page for more details. +If you're still facing issues, please inspect the error log on the Graph Explorer's Integrations page for more details. diff --git a/docs/pages/admin-guides/teleport-policy/integrations/integrations.mdx b/docs/pages/admin-guides/teleport-policy/integrations/integrations.mdx index ff313c03ce916..a8bcbe4464dfc 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/integrations.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/integrations.mdx @@ -1,14 +1,14 @@ --- title: Teleport Policy Integrations -description: Integrations in Access Graph with Teleport Policy. +description: Integrations in Graph Explorer with Teleport Policy. --- Teleport can integrate with identity providers (IdPs) like Okta and AWS OIDC -which can then be used with Access Graph, providing a comprehensive, +which can then be used with Graph Explorer, providing a comprehensive, interactive view of how users, roles, and resources are interconnected, enabling administrators to better understand and control access policies. -Read the following guides for information on using Teleport Access Graph to +Read the following guides for information on using Teleport's Graph Explorer to visualize role-based access controls from third-party services: (!toc!) @@ -16,7 +16,7 @@ visualize role-based access controls from third-party services: ## Viewing available integrations The Integrations page shows integrations that can be enabled or are already -enabled in Access Graph. +enabled in Graph Explorer. ![Integrations](../../../../img/access-graph/integrations.png) @@ -51,7 +51,7 @@ Select the "Set up new integration" button. Teleport can also import and grant access to resources from Okta organizations, such as user profiles, groups and applications. You can view connection data in -Access Graph. Follow the steps here to add an [Okta +Graph Explorer. Follow the steps here to add an [Okta integration](../../../enroll-resources/application-access/okta/hosted-guide.mdx) in your cluster. diff --git a/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx b/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx index 929cc2a329fd0..5ff1fbd6a1a6f 100644 --- a/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx +++ b/docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx @@ -1,9 +1,9 @@ --- title: Discover Insecure SSH Access with Teleport Policy -description: Describes how to enable SSH Key Scanning using Teleport Policy and Access Graph. +description: Describes how to enable SSH Key Scanning using Teleport Policy and Graph Explorer. --- -With Teleport Policy's Access Graph, you can gain insights on how SSH keys are used within your environment. By scanning +With Teleport Policy's Graph Explorer, you can gain insights on how SSH keys are used within your environment. By scanning all SSH authorized keys present on your servers and SSH private keys present on company managed laptops, Teleport Policy can provide a visual representation of the access patterns and help you enhance the security of your environment. @@ -13,23 +13,23 @@ This functionality gives you insights into the following areas: - Which users have SSH private keys that grant access to SSH servers? - Which laptops have unprotected SSH private keys? -Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product +Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product available to Teleport Enterprise edition customers. -After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found +After logging in to the Teleport UI, navigate to the Management tab. If enabled, Graph Explorer options can be found under the Permission Management section. ## How it works -Teleport and Teleport Policy's Access Graph synchronize various resources, including SSH authorized keys and private keys. +Teleport and Teleport Policy's Graph Explorer synchronize various resources, including SSH authorized keys and private keys. These resources are then visualized using the graph representation detailed in the -[Access Graph page](../teleport-policy.mdx). +[Graph Explorer page](../teleport-policy.mdx). ### Importing SSH authorized keys Teleport-protected servers running the Teleport SSH Service continuously scan for SSH authorized keys present on the server. -The public fingerprint of these keys is sent to the Teleport Auth Service, which then pushes them to the Access Graph. +The public fingerprint of these keys is sent to the Teleport Auth Service, which then pushes them to the Graph Explorer. Together with the key fingerprint, the Teleport-protected server also sends the following metadata: - `public_fingerprint`: The SHA256 fingerprint of the public key. @@ -76,16 +76,16 @@ It also never sends the private key path or any other sensitive information. - For Jamf Pro integration, devices must be enrolled in Jamf Pro and have the signed `tsh` binary installed. - For self-hosted clusters: - Ensure that an up-to-date `license.pem` is used in the Auth Service configuration. - - A running Access Graph node v1.22.0 or later. + - A running Graph Explorer node v1.22.0 or later. Check the [Teleport Policy page](../teleport-policy.mdx) for details on -how to set up Access Graph. - - The node running the Access Graph service must be reachable from the Teleport Auth Service. +how to set up Graph Explorer. + - The node running the Graph Explorer service must be reachable from the Teleport Auth Service. ## Step 1/3. Enable SSH Key Scanning To enable SSH Key Scanning, you need to configure the Teleport cluster to scan for SSH authorized keys. -To enable the SSH Key Scanning feature, edit the Teleport Access Graph configuration file: +To enable the SSH Key Scanning feature, edit the Graph Explorer configuration file: ```code $ tctl edit access_graph_settings @@ -105,7 +105,7 @@ version: v1 Save the changes and exit the editor. The Teleport cluster will now start informing the Teleport-protected servers to scan for SSH authorized keys. This process may take a few minutes to complete. -After a few minutes, you can navigate to the Access Graph page in the Teleport UI to view the imported SSH authorized keys +After a few minutes, you can navigate to the Graph Explorer page in the Teleport UI to view the imported SSH authorized keys and local users. ## Step 2/3. Scan for SSH private keys @@ -120,7 +120,7 @@ $ tsh scan keys --proxy= --dirs= Note: For managed Enterprise customers, Teleport Policy is enabled by default. -If you are a self-hosted Teleport customer, you will need to [deploy the Access Graph Service](../deploy-a-cluster/access-graph/access-graph.mdx) and ensure you have an updated +If you are a self-hosted Teleport customer, you will need to [deploy the Graph Explorer Service](../deploy-a-cluster/access-graph/access-graph.mdx) and ensure you have an updated `license.pem` with Teleport Policy enabled to use it.