# Configure Automatic Reviews

Teleport supports automatic reviews of Access Requests. This feature enables teams to enforce a zero standing privilege policy, while still allowing users to receive temporary access without manual approval.

In this guide, we'll walk through how to configure Teleport RBAC and demonstrate example use cases for automatic reviews:

- Automatically approve role requests from users on a specific team.
- Automatically approve resource requests from users on a specific team.

## How it works

Automatic reviews are triggered by Access Automation Rules. These rules instruct Teleport to monitor Access Requests and automatically submit a review when certain conditions (such as requested roles, user traits, or resource labels) are met.

For example, an Access Automation Rule can perform an automatic Access Request approval when a user with the Teleport traits or IdP attribute `team: demo` requests access to the `access` role.

## Prerequisites

- A running Teleport Enterprise (v18.2.8 or higher) cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md).

- The `tctl` and `tsh` clients.

  Installing `tctl` and `tsh` clients

  1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service:

     ```
     $ TELEPORT_DOMAIN=teleport.example.com:443
     $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')"
     ```

  2. Follow the instructions for your platform to install `tctl` and `tsh` clients:

     **Mac**

     Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients:

     ```
     $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg
     ```

     In Finder double-click the `pkg` file to begin installation.

     ---

     DANGER

     Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.

     ---

     **Windows - Powershell**

     ```
     $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip
     Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
     NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
     Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
     ```

     **Linux**

     All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md).

     ```
     $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz
     $ cd teleport
     $ sudo ./install
     Teleport binaries have been copied to /usr/local/bin
     ```

* Permissions to list, create, read, update, and delete `access_monitoring_rule` resources. These permissions are in the preset `editor` role.
* For this guide, at least one Teleport-protected SSH server with a label. [Get started](https://goteleport.com/docs/enroll-resources/server-access/getting-started.md) enrolling SSH servers.

If you're following along with the Terraform steps, first set up the [Teleport Terraform Provider](https://goteleport.com/docs/reference/infrastructure-as-code/terraform-provider.md).

## Step 1/3. Create a requester role and user

In this example, we'll first create:

- A role named `demo-access-request`, which allows users to request access to the `access` role and any resources that the `access` role can access.
- A user named `demo-access-requester`, assigned the above role.

### Create the role

Create a `role` configuration file named `demo-role.yaml`:

```
# demo-role.yaml
kind: role
version: v7
metadata:
  name: demo-access-request
spec:
  allow:
    request:
      roles:
        - access
      search_as_roles:
        - access

```

Create the role with:

```
$ tctl create demo-role.yaml
```

### Create the user

Use the following command to create the user and assign the role:

```
$ tctl users add --roles=demo-access-request demo-access-requester
```

Alternatively, you can assign the role after creating the user:

Assign the `demo-access-request` role to `demo-access-requester` by running the appropriate commands for your authentication provider:

**Local User**

1. Retrieve your local user's roles as a comma-separated list:

   ```
   $ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')
   ```

2. Edit your local user to add the new role:

   ```
   $ tctl users update $(tsh status -f json | jq -r '.active.username') \
     --set-roles "${ROLES?},demo-access-request"
   ```

3. Sign out of the Teleport cluster and sign in again to assume the new role.

**GitHub**

1. Open your `github` authentication connector in a text editor:

   ```
   $ tctl edit github/github
   ```

2. Edit the `github` connector, adding `demo-access-request` to the `teams_to_roles` section.

   The team you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the team must include your user account and should be the smallest team possible within your organization.

   Here is an example:

   ```
     teams_to_roles:
       - organization: octocats
         team: admins
         roles:
           - access
   +       - demo-access-request

   ```

3. Apply your changes by saving and closing the file in your editor.

4. Sign out of the Teleport cluster and sign in again to assume the new role.

**SAML**

1. Retrieve your `saml` configuration resource:

   ```
   $ tctl get --with-secrets saml/mysaml > saml.yaml
   ```

   Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `saml.yaml` file. Because this key contains a sensitive value, you should remove the saml.yaml file immediately after updating the resource.

2. Edit `saml.yaml`, adding `demo-access-request` to the `attributes_to_roles` section.

   The attribute you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

   ```
     attributes_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - demo-access-request

   ```

3. Apply your changes:

   ```
   $ tctl create -f saml.yaml
   ```

4. Sign out of the Teleport cluster and sign in again to assume the new role.

**OIDC**

1. Retrieve your `oidc` configuration resource:

   ```
   $ tctl get oidc/myoidc --with-secrets > oidc.yaml
   ```

   Note that the `--with-secrets` flag adds the value of `spec.signing_key_pair.private_key` to the `oidc.yaml` file. Because this key contains a sensitive value, you should remove the oidc.yaml file immediately after updating the resource.

2. Edit `oidc.yaml`, adding `demo-access-request` to the `claims_to_roles` section.

   The claim you should map to this role depends on how you have designed your organization's role-based access controls (RBAC). However, the group must include your user account and should be the smallest group possible within your organization.

   Here is an example:

   ```
     claims_to_roles:
       - name: "groups"
         value: "my-group"
         roles:
           - access
   +       - demo-access-request

   ```

3. Apply your changes:

   ```
   $ tctl create -f oidc.yaml
   ```

4. Sign out of the Teleport cluster and sign in again to assume the new role.

## Step 2/3. Assign user traits

To allow automatic review rules to evaluate the requesting user, assign them traits via the Teleport Web UI:

1. Go to **Zero Trust Access** -> **Users**

2. Next to `demo-access-requester`, click **Options** -> **Edit...**

3. Click **Add user trait**, and set:

   - Key: `team`
   - Value: `demo`

4. Click **Save**

5. Verify that the user has been updated with the desired trait

![Edit User Traits](/docs/assets/images/users-edit-e4c0607274c600eb501b410ceca033ff.png)

When adding user traits, you can enter any keys and values. The user trait form does not support wildcard or regular expressions.

---

SSO USERS

Automatic reviews are compatible with SSO users and the attributes provided by the IdP.

---

## Step 3/3. Configure automatic reviews

Now that you've created a user and assigned them traits, you're ready to configure automatic review rules.

Access Automation Rules leverage the user traits, resource labels, and schedules to determine whether requests can be automatically approved. In this step, you'll configure one or more kinds of automatic review rules to demonstrate how Teleport can automatically approve access.

### Role-based automatic reviews

To demonstrate how role requests from a specific team can be automatically approved, create the following Access Automation Rule:

**Via Web UI**

1. Go to **Identity Governance** -> **Access Requests** -> **Set Up Access Automation Rules**

2. Click **Create New Access Automation Rule** -> **Automatic Review Rule**

3. Configure the rule and set:

   - **Name of requested roles to match**: `access`
   - **User Traits to match**: `team: demo`
   - **Review decision**: `APPROVED`

4. Click **Create Rule**

**Via tctl**

Create an `access_monitoring_rule` configuration file named `demo-rule.yaml`:

```
# demo-rule.yaml
kind: access_monitoring_rule
version: v1
metadata:
  name: demo-rule
spec:
  automatic_review:
    decision: APPROVED
    integration: builtin
  condition: |-
    contains_all(set("access"), access_request.spec.roles) &&
    contains_any(user.traits["team"], set("demo"))
  desired_state: reviewed
  subjects:
    - access_request

```

Create the access\_monitoring\_rule with:

```
$ tctl create -f demo-rule.yaml
```

**Via Terraform**

Create an `access_monitoring_rule` configuration file named `demo-rule.tf`:

```
# demo-rule.tf
resource "teleport_access_monitoring_rule" "demo-rule" {
  version = "v1"
  metadata = {
    name = "demo-rule"
  }
  spec = {
    automatic_review = {
      decision    = "APPROVED"
      integration = "builtin"
    }
    condition     = <<-EOT
      contains_all(set("access"), access_request.spec.roles) &&
      contains_any(user.traits["team"], set("demo"))
    EOT
    desired_state = "reviewed"
    subjects      = ["access_request"]
  }
}

```

Apply the configuration:

```
$ terraform apply
```

This rule automatically approves Access Requests for the `access` role if the user has the trait `team: demo`.

To verify the new automatic review rule, create an Access Request via the Teleport Web UI:

1. Log in as `demo-access-requester`
2. Go to **Identity Governance** -> **Access Requests** and click **New Access Request**
3. Change the request type from **Resources** to **Roles**
4. Add the `access` role to the Access Request
5. Click **Proceed to Request**, then **Submit Request**

At this point, the new Access Request should have been created, automatically reviewed, and transitioned into an `APPROVED` state. Navigate **Back to Listings** and verify the Access Request status. It might take a second for the review to process, so you may have to refresh the page.

### Resource-based automatic reviews

Before creating an Access Automation Rule, ensure that you have at least one labeled SSH server connected to your Teleport cluster:

```
List your SSH servers to identify available labels:
$ tsh ls
Node Name   Address    Labels
----------- ---------- -------------------------------
teleport-00 ⟵ Tunnel  env=demo
```

To demonstrate how resource requests from a specific team can be automatically approved, create the following Access Automation Rule:

**Via Web UI**

1. Go to **Identity Governance** -> **Access Requests** -> **Set Up Access Automation Rules**

2. Click **Create New Access Automation Rule** -> **Automatic Review Rule**

3. Configure the rule and set:

   - **Name of requested roles to match**: `access`
   - **Resource labels to match**: `env: demo`
   - **User Traits to match**: `team: demo`
   - **Review decision**: `APPROVED`

4. Click **Create Rule**

**Via tctl**

Create an `access_monitoring_rule` configuration file named `demo-rule.yaml`:

```
# demo-rule.yaml
kind: access_monitoring_rule
version: v1
metadata:
  name: demo-rule
spec:
  automatic_review:
    decision: APPROVED
    integration: builtin
  condition: |-
    contains_all(set("access"), access_request.spec.roles) &&
    contains_any(user.traits["team"], set("demo")) &&
    access_request.spec.resource_labels_intersection["env"].contains("demo")
  desired_state: reviewed
  subjects:
    - access_request

```

Create the access\_monitoring\_rule with:

```
$ tctl create -f demo-rule.yaml
```

**Via Terraform**

Create an `access_monitoring_rule` configuration file named `demo-rule.tf`:

```
# demo-rule.tf
resource "teleport_access_monitoring_rule" "demo-rule" {
  version = "v1"
  metadata = {
    name = "demo-rule"
  }
  spec = {
    automatic_review = {
      decision    = "APPROVED"
      integration = "builtin"
    }
    condition     = <<-EOT
      contains_all(set("access"), access_request.spec.roles) &&
      contains_any(user.traits["team"], set("demo")) &&
      access_request.spec.resource_labels_intersection["env"].contains("demo")
    EOT
    desired_state = "reviewed"
    subjects      = ["access_request"]
  }
}

```

Apply the configuration:

```
$ terraform apply
```

This rule automatically approves Access Requests for the `access` role and resources labeled `env: demo` if the user has the trait `team: demo`.

To verify the new automatic review rule, create an Access Request via the Teleport Web UI:

1. Log in as `demo-access-requester`
2. Go to **Identity Governance** -> **Access Requests** and click **New Access Request**
3. Add the SSH server you'd like to request access to
4. Click **Proceed to Request**, then **Submit Request**

At this point, the new Access Request should have been created, automatically reviewed, and transitioned into an `APPROVED` state. Navigate **Back to Listings** and verify the Access Request status. It might take a second for the review to process, so you may have to refresh the page.

### Schedule-based automatic reviews

To demonstrate how role requests can be automatically approved during a specified schedule, create the following Access Automation Rule:

**Via Web UI**

1. Go to **Identity Governance** -> **Access Requests** -> **Set Up Access Automation Rules**

2. Click **Create New Access Automation Rule** -> **Automatic Review Rule**

3. Configure the rule and set:

   - **Name of requested roles to match**: `access`
   - **User Traits to match**: `team: demo`
   - **Review decision**: `APPROVED`

4. Configure the schedule:

   - Enable **For specified times only**
   - Select the desired **Time Zone**
   - Choose the desired weekdays
   - Set the schedule for each selected weekday

5. Click **Create Rule**

For example, to enable automatic reviews at any time on Mondays, the schedule editor would appear as follows:

![Schedule Editor](/docs/assets/images/schedule-editor-ba9c18999ae30ad8282e8728a60251f0.png)

**Via tctl**

Create an `access_monitoring_rule` configuration file named `demo-rule.yaml`:

```
# demo-rule.yaml
kind: access_monitoring_rule
version: v1
metadata:
  name: demo-rule
spec:
  automatic_review:
    decision: APPROVED
    integration: builtin
  condition: |-
    contains_all(set("access"), access_request.spec.roles) &&
    contains_any(user.traits["team"], set("demo"))
  desired_state: reviewed
  subjects:
    - access_request
  schedules:
    default:
      time:
        timezone: America/Los_Angeles
        shifts:
          - weekday: Monday
            start: "00:00"
            end: "23:59"

```

Create the access\_monitoring\_rule with:

```
$ tctl create -f demo-rule.yaml
```

**Via Terraform**

Create an `access_monitoring_rule` configuration file named `demo-rule.tf`:

```
# demo-rule.tf
resource "teleport_access_monitoring_rule" "demo-rule" {
  version = "v1"
  metadata = {
    name = "demo-rule"
  }
  spec = {
    automatic_review = {
      decision    = "APPROVED"
      integration = "builtin"
    }
    condition     = <<-EOT
      contains_all(set("access"), access_request.spec.roles) &&
      contains_any(user.traits["team"], set("demo"))
    EOT
    desired_state = "reviewed"
    subjects      = ["access_request"]
    schedules = {
      default = {
        time = {
          timezone = "America/Los_Angeles"
          shifts = [
            {
              weekday : "Monday"
              start : "00:00"
              end : "23:59"
            }
          ]
        }
      }
    }
  }
}

```

Apply the configuration:

```
$ terraform apply
```

## Troubleshooting

### Conflicting automatic review rules

Automatic review rules can automatically approve or deny Access Requests based on the selected review decision. If an Access Request meets the conditions for both an approval rule and a denial rule, the denial rule takes precedence.

## Next Steps

- Access Automation Rules are configured using an underlying `access_monitoring_rule` resource. For more details about the `access_monitoring_rule` resource, refer to the [Access Monitoring Rules Reference](https://goteleport.com/docs/reference/access-controls/access-monitoring-rules.md).
- For configuration with Teleport Terraform Provider, refer to the [Terraform Resources Index](https://goteleport.com/docs/reference/infrastructure-as-code/terraform-provider/resources/access_monitoring_rule.md)
- For configuration options with SSO, refer to the [Single Sign-On Guides](https://goteleport.com/docs/zero-trust-access/sso.md).
- For more details about managing resource labels, refer to the [Add Labels to Resources Guide](https://goteleport.com/docs/zero-trust-access/rbac-get-started/labels.md).