# Reviewing Access Requests In this guide we will walk through two Access List-related Access Request use-cases. - [Access Requests for resources granted by an Access List](#access-requests-for-resources-granted-by-an-access-list) - [Access Requests for resources requested by an Access List member](#access-requests-for-resources-requested-by-an-access-list-member) ## Prerequisites - Teleport cluster with a connected resource e.g. an SSH node. - Teleport user (`admin` in this guide) with an `editor` role to perform configuration. - Teleport user (`alice` in this guide) acting as an Access Request reviewer. - Teleport user (`bob` in this guide) acting as a low-privileged requester user. ## Access Requests for resources granted by an Access List Access List owners can be automatically assigned as suggested reviewers to resource-based Access Requests that include resources granted by their Access List. ### How it works We will create an Access List that grants users direct access to certain resources and allows its owners to review Access Requests to those resources. Then, we will issue an Access Request to those resources to verify that the list owners are prepopulated as suggested reviewers and that the request can be promoted to long-term access via the Access List. ### Step 1/5. Create roles As an `admin` user, let's create 3 roles: - Role that grants access to SSH nodes with a label `env:prod` - Role that allows users to request access to SSH nodes with that label - Role that allows users to review Access Requests for SSH nodes with that label The `ssh-access` role allows access to SSH nodes with the label `env: prod`: ``` kind: role version: v8 metadata: name: ssh-access spec: allow: logins: - ubuntu node_labels: 'env': 'prod' ``` The `ssh-access-requester` role allows to request access to such SSH nodes: ``` kind: role version: v8 metadata: name: ssh-access-requester spec: allow: request: search_as_roles: - ssh-access ``` The `ssh-access-reviewer` role allows to review such Access Requests: ``` kind: role version: v8 metadata: name: ssh-access-reviewer spec: allow: review_requests: roles: - ssh-access preview_as_roles: - ssh-access ``` ### Step 2/5. Assign requester role As an `admin` user, assign the `ssh-access-requester` role to `bob`. ![bob user roles](/docs/assets/images/bob-user-roles-7f27de3dc187fec237f5e07b100a9235.png) This role will allow `bob` to issue Access Requests to SSH nodes with `env: prod` labels. ### Step 3/5. Create an Access List Now, as an `admin` user, let's create an Access List that grants access to the SSH nodes (via `ssh-access` member role grant) and allows its owners to review requests to these SSH nodes (via `ssh-access-reviewer` owner role grant). On the Identity Governance / Access Lists web UI page select "Create New Access List" and create a new one with the following parameters: - List name: `SSH Access` - Permissions granted to list owners: `ssh-access-reviewer` - Permissions granted to list members: `ssh-access` - List owner: `alice` ![access list owners](/docs/assets/images/ssh-access-list-owners-4bea2bb261bc54422e17cf49ddbeaa08.png) You can fill out the rest of the parameters as desired. ### Step 4/5. Submit an Access Request Once you log into Teleport as `bob`, you should be able to see your SSH node(-s) as requestable resources. On the Access Request checkout dialog, you should see that `alice` has been prepopulated as a suggested reviewer because she is an owner of the access list that grants access to the requested SSH node. ![alice is suggested reviewer](/docs/assets/images/bob-submit-request-7758067e6277b3cf5ab6b3397ed664f9.png) Submit the request. ### Step 5/5. Review the Access Request Once the request is submitted, log in as `alice` and go to the Identity Governance / Access Requests page to see `bob`'s pending request and review it: ![alice is suggested reviewer](/docs/assets/images/alice-review-request-bc05229469e283465c608f8e582968c6.png) Because access to the requested SSH node can be granted by the "SSH Access" list, `alice` has the option to promote the request to long-term access via the Access List to grant direct access to the SSH node. That's it! `alice` as an owner of the "SSH Access" list has successfully reviewed `bob`'s request to an SSH node that's granted by her Access List. ## Access Requests for resources requested by an Access List member Access List owners can also be automatically assigned as suggested reviewers to resource-based Access Requests where the requester is granted permission to request the resource via Access List membership and the owner has permission to review requests for the resource. ### How it works We will create an Access List that grants users the ability to request access to certain resources and allows its owners to review those requests. We will make the requester a member of the Access List. Then, we will issue an Access Request to those resources to verify that the list owner is prepopulated as a suggested reviewer and that the request can be reviewed by the owner. ### Step 1/5. Create roles As an `admin` user, let's create 3 roles: - Role that grants access to SSH nodes with a label `env:prod` - Role that allows users to request access to those SSH nodes - Role that allows users to review those Access Requests The `ssh-member-access` role allows access to SSH nodes with the label `env: prod`: ``` kind: role version: v8 metadata: name: ssh-member-access spec: allow: logins: - ubuntu node_labels: 'env': 'prod' ``` The `ssh-member-requester` role allows users to request access to SSH nodes using the `ssh-member-access` role: ``` kind: role version: v8 metadata: name: ssh-member-requester spec: allow: request: search_as_roles: - ssh-member-access roles: - ssh-member-access ``` The `ssh-member-reviewer` role allows users to review Access Requests for the `ssh-member-access` role: ``` kind: role version: v8 metadata: name: ssh-member-reviewer spec: allow: review_requests: roles: - ssh-member-access preview_as_roles: - ssh-member-access ``` ### Step 2/5. Create an Access List As an `admin` user, create an Access List. The `ssh-member-access-list` grants its members the ability to request access to SSH nodes (via `ssh-member-requester` member role grant) and its owners the ability to review those requests (via `ssh-member-reviewer` owner role grant): ``` kind: access_list version: v1 metadata: name: ssh-member-access-list spec: title: "SSH Member Access" description: "Access List for membership-based Access Request reviews" owners: - name: alice description: "Access list owner" grants: roles: - ssh-member-requester owner_grants: roles: - ssh-member-reviewer ``` ### Step 3/5. Add the requester as a member of the Access List Next, add `bob` as a member of `ssh-member-access-list`: ``` tctl acl users add ssh-member-access-list bob ``` Once `bob` is a member of the `ssh-member-access-list`, the `ssh-member-requester` role will be granted, allowing `bob` to request access to SSH nodes with the `env: prod` label. ### Step 4/5. Submit an Access Request Once you log into Teleport as `bob`, you should be able to see the SSH nodes with the `env: prod` label as requestable resources. On the Access Request checkout dialog, you should see that `alice` has been prepopulated as a suggested reviewer because she is an owner of the Access List, has review permission for requests to those resources, and `bob`'s membership grants the ability to request them. ![bob submit resource request](/docs/assets/images/bob-submit-resource-request-ba84193958a01bdc8a6ba49037f1b6e1.png) Submit the request. ### Step 5/5. Review the Access Request Once the request is submitted, log in as `alice` and go to the Identity Governance / Access Requests page to see `bob`'s pending request and review it: ![alice review resource request](/docs/assets/images/alice-review-resource-request-0f9bc389a3aeb264aae1e561368fee09.png) Because `alice` is an owner of `ssh-member-access-list`, she has been granted the `ssh-member-reviewer` role, which allows her to review requests for the `ssh-member-access` role. That's it! `alice` as an owner of the `ssh-member-access-list` list has successfully reviewed `bob`'s resource Access Request for an SSH node. ## Next steps - Learn more about [Resource Access Requests](https://goteleport.com/docs/identity-governance/access-requests/resource-requests.md).