Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: update Policy and Graph Explorer verbiage in teleport-policy guide #50412

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 10 additions & 11 deletions docs/pages/admin-guides/teleport-policy/crown-jewels.mdx
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
title: See permission changes with Access Graph Crown Jewels
description: Describes how to use Access Graph Crown Jewels to see permission changes in Teleport.
title: See permission changes with Graph Explorer Crown Jewels
description: Describes how to use Graph Explorer Crown Jewels to see permission changes in Teleport.
---

Access Graph's Crown Jewel feature allows you to track changes to access for
Graph Explorer's Crown Jewel feature allows you to track changes to access for
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've been splitting this out into another feature, and calling it Teleport Policy Crown Jewels

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @benarent! I'll update this and the other references when I get back from vacation, 12/30.

your most sensitive users or resources. When you mark a resource as a Crown
Jewel, Teleport emits audit events any time access to that resource changes.

Expand All @@ -23,14 +23,13 @@ log in via Teleport Auth Connectors.

- A running Teleport Enterprise cluster v16.2.0 or later.
- For self-hosted clusters, an updated `license.pem` with Teleport Policy enabled.
- For self-hosted clusters, a running Access Graph node v1.24.0 or later.
Check [Access Graph page](teleport-policy.mdx) for details on
how to set up Access Graph.
- For self-hosted clusters, a running Graph Explorer node v1.24.0 or later.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically we run access graph service for Teleport Policy https://gallery.ecr.aws/gravitational/access-graph

Check [Graph Explorer page](teleport-policy.mdx) for details on how to set it up.

Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product
Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product
available to Teleport Enterprise edition customers.

After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found
After logging in to the Teleport UI, navigate to the Management tab. If enabled, Graph Explorer options can be found
under the Permission Management section.

## Required RBAC permissions
Expand All @@ -55,7 +54,7 @@ version: v7

To create a Crown Jewel, you need to mark a resource or user as critical. Only changes to marked resources
and users will be logged by Teleport Policy.
To mark a resource or user as Crown Jewel, open the Access Graph and navigate to the "Crown Jewels" tab.
To mark a resource or user as Crown Jewel, open the Graph Explorer and navigate to the "Crown Jewels" tab.

![Create Page](../../../img/access-graph/crown-jewels/create-page.webp)

Expand All @@ -67,13 +66,13 @@ Pick a name for the Crown Jewel and click "Create".

![Create Matcher Name](../../../img/access-graph/crown-jewels/create-matcher-name.webp)

The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Access Graph will now create
The Crown Jewel will now be created, and you will see it in the list of Crown Jewels. Graph Explorer will now create
audit events in Teleport's audit log and new entries in the "Access Changes" tab in the "Crown Jewels" menu whenever
access path to a resource or a user changes.

## Viewing permission changes

To view permission changes, open the Access Graph and navigate to the "Crown Jewels" tab.
To view permission changes, open the Explorer and navigate to the "Crown Jewels" tab.
Here you can see a list of all Crown Jewels and the changes that have been made to them.

![Changes](../../../img/access-graph/crown-jewels/changes.webp)
Expand Down
33 changes: 16 additions & 17 deletions docs/pages/admin-guides/teleport-policy/integrations/aws-sync.mdx
Original file line number Diff line number Diff line change
@@ -1,31 +1,30 @@
---
title: Discover AWS Access Patterns with Teleport Policy
description: Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Access Graph.
description: Describes how to import and visualize AWS accounts access patterns using Teleport Policy and Graph Explorer.
---

Teleport Policy streamlines and centralizes access management across your entire infrastructure. You can view access relationships in seconds,
viewing unified, up-to-date relationships and policies between all users, groups, and computing resources.

Teleport Policy with Access Graph offers insights into access patterns within your AWS account. By scanning IAM
Teleport Policy with Graph Explorer offers insights into access patterns within your AWS account. By scanning IAM
permissions, users, groups, resources, and identities, it provides a visual representation and aids in
enhancing the permission model within your AWS environment. This functionality enables you to address queries such as:

- What resources are accessible to AWS users and roles?
- Which resources can be reached via identities associated with EC2 instances?
- What AWS resources can Teleport users access when connecting to EC2 nodes?

Utilizing the Access Graph to analyze IAM permissions within an AWS account necessitates the setup of the Access Graph (AG)
Utilizing the Graph Explorer to analyze IAM permissions within an AWS account necessitates the setup of the Graph Explorer (AG)
service, a Discovery Service, and integration with your AWS account.

Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is
Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product that is
available to Teleport Enterprise customers.

After logging in to the Teleport UI, go to the Management tab. If enabled,
Access Graph options can be found under the Permission Management section.
After logging in to the Teleport UI, go to the Management tab. If enabled, Explorer options can be found under the Permission Management section.

## How it works

Access Graph discovers AWS access patterns, synchronizes various AWS resources,
Graph Explorer discovers AWS access patterns, synchronizes various AWS resources,
including IAM Policies, Groups, Users, User Groups, EC2 instances, EKS clusters, and RDS databases.
These resources are then visualized using the graph representation detailed in the
[Teleport Policy usage page](../policy-how-to-use.mdx).
Expand All @@ -48,11 +47,11 @@ At intervals of 15 minutes, it retrieves the following resources from your AWS a
- S3 Buckets

Once all the necessary resources are fetched, the Teleport Discovery Service pushes them to the
Access Graph, ensuring that it remains updated with the latest information from your AWS environment.
Graph Explorer, ensuring that it remains updated with the latest information from your AWS environment.

### Importing resources

Teleport Policy’s Access Graph feature delves into the IAM policies, identities,
Teleport Policy’s Graph Explorer feature delves into the IAM policies, identities,
and resources retrieved from your AWS account, crafting a
graphical representation thereof.

Expand All @@ -63,10 +62,10 @@ graphical representation thereof.
- Teleport Policy enabled for your account.
- For self-hosted clusters:
- Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
- A running Access Graph node v1.17.0 or later.
- A running Graph Explorer node v1.17.0 or later.
Check the [Teleport Policy page](../teleport-policy.mdx) for details on
how to set up Access Graph.
- The node running the Access Graph service must be reachable from the Teleport Auth Service.
how to set up Graph Explorer.
- The node running the Graph Explorer service must be reachable from the Teleport Auth Service.

## Step 1/2. Configure Discovery Service (Self-hosted only)

Expand Down Expand Up @@ -95,16 +94,16 @@ it's possible to reuse it as long as the following requirements are met:

- On step 2, you match the `discovery_group` with the existing Discovery Service's
`discovery_group`.
- Access Graph service is reachable from the machine where Discovery Service runs.
- Graph Explorer service is reachable from the machine where Discovery Service runs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of this is good, but I would note again that we run the access graph service for this.


## Step 2/2. Set up Access Graph AWS Sync
## Step 2/2. Set up Graph Explorer AWS Sync

To initiate the setup wizard for configuring AWS Sync, access the Teleport UI,
navigate to the Management tab, and choose the Access Graph option within the
navigate to the Management tab, and choose the Graph Explorer option within the
Permission Management section.

If both Teleport and Access Graph support AWS sync, you'll notice a new button
adjacent to the Access Graph navigation bar labeled `Analyze AWS IAM policies with Access Graph`.
If both Teleport and Graph Explorer support AWS sync, you'll notice a new button
adjacent to the Graph Explorer navigation bar labeled `Analyze AWS IAM policies with Graph Explorer`.

You'll be prompted to create a new Teleport AWS integration if you haven't configured
one already. Alternatively, you can opt for a previously established integration.
Expand Down
27 changes: 13 additions & 14 deletions docs/pages/admin-guides/teleport-policy/integrations/entra-id.mdx
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: Analyze Entra ID policies with Teleport Policy
description: Describes how to import and visualize Entra ID policies using Teleport Policy and Access Graph.
description: Describes how to import and visualize Entra ID policies using Teleport Policy and Graph Explorer.
---

The Microsoft Entra ID integration in Teleport Identity synchronizes your Entra ID directory into your Teleport cluster,
Expand All @@ -27,7 +27,7 @@ At intervals of 5 minutes, it retrieves the following resources from your Entra

Entra ID users and groups are imported into Teleport as users and Access Lists respectively.
Once all the necessary resources are fetched, Teleport pushes them to the
Access Graph, ensuring that it remains updated with the latest information.
Graph Explorer, ensuring that it remains updated with the latest information.
These resources are then visualized using the graph representation detailed in the
[Teleport Policy usage page](../policy-how-to-use.mdx).

Expand All @@ -37,16 +37,16 @@ These resources are then visualized using the graph representation detailed in t
- Teleport Identity and Teleport Policy enabled for your account.
- For self-hosted clusters:
- Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
- A running Access Graph node v1.21.3 or later.
- A running Graph Explorer node v1.21.3 or later.
Check the [Teleport Policy page](../teleport-policy.mdx) for details on
how to set up Access Graph.
- The node running the Access Graph service must be reachable from the Teleport Auth Service.
how to set up Graph Explorer.
- The node running the Graph Explorer service must be reachable from the Teleport Auth Service.
- Your user must have privileged administrator permissions in the Azure account
- For OIDC setup, the Teleport cluster must be publicly accessible from the internet.
- For air gapped clusters, `tctl` must be v16.4.7 or later.

To verify that Access Graph is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab.
If enabled, the Access Graph menu item will appear in the Permission Management section.
To verify that Graph Explorer is set up correctly for your cluster, sign in to the Teleport Web UI and navigate to the Management tab.
If enabled, the Graph Explorer menu item will appear in the Permission Management section.

## Step 1/3. Choose a setup method

Expand Down Expand Up @@ -232,7 +232,7 @@ For clusters running in multiplex mode, this address will be the same as your pr
If your Teleport license does not include [Teleport Policy](../teleport-policy.mdx), include the `--no-access-graph` flag.

```code
# Disable Access Graph integration if your license supports Teleport Policy with --no-access-graph flag.
# Disable Graph Explorer integration if your license supports Teleport Policy with --no-access-graph flag.
$ tctl plugins install entraid \
--default-owner=<Var name="Access List Owner"/> \
[email protected] \
Expand Down Expand Up @@ -518,7 +518,7 @@ Currently, when using manual mode, it is not possible to operate without the `--
</Notice>

```code
# enable Access Graph integration if your license supports Teleport Policy.
# enable Graph Explorer integration if your license supports Teleport Policy.
$ tctl plugins install entraid \
--default-owner=<Var name="Access List Owner"/> \
[email protected] \
Expand All @@ -534,14 +534,13 @@ Follow the detailed instructions provided by the `tctl plugins install entraid`
</TabItem>
</Tabs>

## Step 3/3. Analyze Entra ID directory in Teleport Access Graph
## Step 3/3. Analyze Entra ID directory in Graph Explorer

Shortly after the integration onboarding is finished,
your Entra ID directory will be imported into your Teleport cluster and Access Graph.
your Entra ID directory will be imported into your Teleport cluster and Graph Explorer.

You can find Entra ID users and groups in the Access Graph UI. If you have Entra ID SSO set up for your AWS accounts,
and the AWS accounts have been connected to Teleport,
Access Graph will also show access to AWS resources granted to Entra ID identities.
You can find Entra ID users and groups in the Explorer UI. If you have Entra ID SSO set up for your AWS accounts,
and the AWS accounts have been connected to Teleport, Graph Explorer will also show access to AWS resources granted to Entra ID identities.

In the following example, Bob is assigned to group `AWS-Engineers` in Entra ID.
This allows him to use SSO to assume the AWS IAM role `Engineers`,
Expand Down
40 changes: 20 additions & 20 deletions docs/pages/admin-guides/teleport-policy/integrations/gitlab.mdx
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
---
title: Discover GitLab Access Patterns with Teleport Policy
description: Describes how to synchronize GitLab access patterns using Teleport Policy and Access Graph.
description: Describes how to synchronize GitLab access patterns using Teleport Policy and Graph Explorer.
---

With Teleport Policy's Access Graph, you gain insights into access patterns within your GitLab account. By scanning all
With Teleport Policy's Graph Explorer, you gain insights into access patterns within your GitLab account. By scanning all
permissions, users, groups, and projects, it provides a visual representation to help enhance the permission model within
your GitLab environment. This functionality enables you to answer queries such as:

- What projects are accessible to users?
- Which users have write permissions to projects?

Access Graph is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product
Graph Explorer is a feature of the [Teleport Policy](https://goteleport.com/platform/policy/) product
available to Teleport Enterprise edition customers.

After logging in to the Teleport UI, navigate to the Management tab. If enabled, Access Graph options can be found
After logging in to the Teleport UI, navigate to the Management tab. If enabled, Graph Explorer options can be found
under the Permission Management section.

## How it works

Access Graph synchronizes various GitLab resources, including users, projects and groups.
Graph Explorer synchronizes various GitLab resources, including users, projects and groups.
These resources are then visualized using the graph representation detailed in the
[Access Graph page](../teleport-policy.mdx).
[Graph Explorer page](../teleport-policy.mdx).

The importing process involves two primary steps:

Expand All @@ -35,11 +35,11 @@ The Teleport cluster continuously scans the configured GitLab accounts and retri
- Project memberships

Once all the necessary resources are fetched, Teleport pushes them to the
Access Graph, ensuring that it remains updated with the latest information from your GitLab instance.
Graph Explorer, ensuring that it remains updated with the latest information from your GitLab instance.

### Importing resources

Teleport Policy’s Access Graph feature delves into the resources imported and their relationships, crafting a
Teleport Policy’s Graph Explorer feature delves into the resources imported and their relationships, crafting a
graphical representation thereof.


Expand All @@ -50,10 +50,10 @@ graphical representation thereof.
- A GitLab instance running GitLab v9.0 or later.
- For self-hosted clusters:
- Ensure that an up-to-date `license.pem` is used in the Auth Service configuration.
- A running Access Graph node v1.21.4 or later.
- A running Graph Explorer node v1.21.4 or later.
Check the [Teleport Policy page](../teleport-policy.mdx) for details on
how to set up Access Graph.
- The node running the Access Graph service must be reachable from the Teleport Auth Service.
how to set up Graph Explorer.
- The node running the Graph Explorer service must be reachable from the Teleport Auth Service.

## Step 1/3. Create GitLab token

Expand Down Expand Up @@ -82,21 +82,21 @@ The importer will use this token to fetch the necessary resources from your GitL

The token will be used in the next step to configure the GitLab Sync integration.

## Step 2/3. Set up Access Graph GitLab Sync
## Step 2/3. Set up Graph Explorer GitLab Sync

To initiate the setup wizard for configuring GitLab Sync, access the Teleport UI,
navigate to the Management tab, and choose the Access Graph option within the
navigate to the Management tab, and choose the Graph Explorer option within the
Permission Management section.

In the Access Graph page, you'll notice a button labeled `Integrations`. Click on it to
In the Graph Explorer page, you'll notice a button labeled `Integrations`. Click on it to
to access the Integrations page. On the Integrations page, click on the `Setup` button next to the GitLab integration.

You'll be prompted to provide the GitLab token created in Step 1 and the GitLab instance domain.
Once the token is successfully validated, you'll be able to see the resources imported in Access Graph.
Once the token is successfully validated, you'll be able to see the resources imported in Graph Explorer.

## Step 3/3. View GitLab resources in Access Graph
## Step 3/3. View GitLab resources in Graph Explorer

After the GitLab resources are imported, you can view them in the Access Graph page.
After the GitLab resources are imported, you can view them in the Graph Explorer page.
The graph representation will show the relationships between users, groups, and projects within your GitLab instance.

Users can have permissions to access a Group or Project. When a user has access to a Group, they inherit permissions
Expand All @@ -107,7 +107,7 @@ You can view the permissions granted to users, groups, and projects by clicking
For example, to view the permissions granted to a user, click on the user node and select `View Access` from the context menu.
This will display the permissions granted to the user and the resources they have access to.

You can also run queries to fetch specific information from the Access Graph, such as:
You can also run queries to fetch specific information from the Graph Explorer, such as:

### Fetch All Projects Accessible to a User

Expand Down Expand Up @@ -136,7 +136,7 @@ SELECT * FROM access_path WHERE "resource" = '<Var name="project" />' AND source

## Troubleshooting

After setting up the GitLab integration, you can monitor the import process status on the Access Graph's Integrations page.
After setting up the GitLab integration, you can monitor the import process status on the Graph Explorer's Integrations page.
If the import fails, an error message will help identify the issue.

You can also check whether the import process is currently running or has completed successfully by viewing the status.
Expand All @@ -147,5 +147,5 @@ and that the token is valid. If the token has expired, you'll need to create a n
If you encounter any other issues, please ensure that the Teleport cluster can reach the GitLab instance and that the
GitLab APIs are accessible.

If you're still facing issues, please inspect the error log on the Access Graph's Integrations page for more details.
If you're still facing issues, please inspect the error log on the Graph Explorer's Integrations page for more details.

Loading
Loading