Improve access graph documentation #49314
Conversation
This PR introduces a recommendation for users to enable Okta/Entra synchronization to improve the user experience when working with Crown Jewels. Ephemeral, highly privileged users created by the SSO connector can generate excessive activity, rendering Crown Jewels difficult to use. Additionally, the PR includes examples of the new `ssh_keys` view when utilizing the Policy SSH Keys scan functionality. Signed-off-by: Tiago Silva <[email protected]>
github-actions
bot
requested review from
mmcallister,
ptgott,
r0mant,
xinding33 and
zmb3
tigrato
added
the
no-changelog
|
🤖 Vercel preview here: https://docs-2xfrsnuzd-goteleport.vercel.app/docs |
tigrato
force-pushed
the
tigrato/improve-access-graph-docs
branch
from
2f6f622
to
a07bd29
Compare
|
🤖 Vercel preview here: https://docs-210e8pqxs-goteleport.vercel.app/docs |
|
|
||
| For an improved experience, we recommend using Crown Jewels in conjunction with Teleport local users or integrating with | ||
| [Okta](../../enroll-resources/application-access/okta/okta.mdx) or [Microsoft Entra ID](./integrations/entra-id.mdx). | ||
| This setup helps mitigate the spam generated by highly privileged ephemeral users created by Teleport Auth Connectors. |
There was a problem hiding this comment.
What does "spam" mean in this case? To me, this sounds a little judgmental towards a Teleport feature, which seems out of place in documentation.
There was a problem hiding this comment.
Spam refers to an excessive number of entries. When a user with access to all resources logs in using a standard connector, it generates N access path changes, where N is the number of resources they have access to.
| @@ -152,6 +152,30 @@ Insecure paths are also visible in a user's access paths. To view them, click on | |||
| from the context menu. This will show the Teleport permissions granted to the user, the resources they can access, | |||
| and any detected insecure paths. | |||
|
|
|||
| **Access Graph: Dedicated `ssh_keys` SQL View** | |||
There was a problem hiding this comment.
If this is a section heading, I would use header syntax (#+) instead of bold text.
docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx
Outdated
Show resolved
Hide resolved
| @@ -16,7 +16,8 @@ Crown Jewels, and how to see permission changes for these resources. | |||
|
|
|||
| For an improved experience, we recommend using Crown Jewels in conjunction with Teleport local users or integrating with | |||
| [Okta](../../enroll-resources/application-access/okta/okta.mdx) or [Microsoft Entra ID](./integrations/entra-id.mdx). | |||
| This setup helps mitigate the spam generated by highly privileged ephemeral users created by Teleport Auth Connectors. | |||
| This setup helps minimize the number of access path change entries generated when highly privileged ephemeral users | |||
| log in via Teleport Auth Connectors.. | |||
There was a problem hiding this comment.
| log in via Teleport Auth Connectors.. | |
| log in via Teleport authentication connectors. |
To use the convention we use elsewhere in the docs
There was a problem hiding this comment.
Are we being overly pedantic here?
The product literally calls them Auth Connectors:
docs/pages/admin-guides/teleport-policy/integrations/ssh-keys-scan.mdx
Outdated
Show resolved
Hide resolved
|
🤖 Vercel preview here: https://docs-5pq78tfjb-goteleport.vercel.app/docs |
|
🤖 Vercel preview here: https://docs-d7ml5j91w-goteleport.vercel.app/docs |
|
🤖 Vercel preview here: https://docs-bzany97mu-goteleport.vercel.app/docs |
| This setup helps minimize the number of access path change entries generated when highly privileged ephemeral users | ||
| log in via Teleport Auth Connectors. |
There was a problem hiding this comment.
| This setup helps minimize the number of access path change entries generated when highly privileged ephemeral users | |
| log in via Teleport Auth Connectors. | |
| This setup helps minimize the number of access path change entries generated when ephemeral SSO users | |
| marked as Crown Jewels log in via Teleport Auth Connectors. |
There was a problem hiding this comment.
They don't need to be Crown Jewels. Actually the issue is much worse if the resources are Crown Jewels because it generates one event per resource they have access to
public-teleport-github-review-bot
bot
removed the request for review
from mmcallister
public-teleport-github-review-bot
bot
removed the request for review
from xinding33
tigrato
force-pushed
the
tigrato/improve-access-graph-docs
branch
from
0b96bdf
to
9a6a869
Compare
tigrato
force-pushed
the
tigrato/improve-access-graph-docs
branch
from
9a6a869
to
5535e59
Compare
|
🤖 Vercel preview here: https://docs-3icfcfail-goteleport.vercel.app/docs |
|
🤖 Vercel preview here: https://docs-4hqg9ez3l-goteleport.vercel.app/docs |
This PR introduces a recommendation for users to enable Okta/Entra synchronization to improve the user experience when working with Crown Jewels. Ephemeral, highly privileged users created by the SSO connector can generate excessive activity, making Crown Jewels difficult to use.
Additionally, the PR includes examples of the new
ssh_keysview when utilizing the Policy SSH Keys scan functionality.