Role-Based Access Control (RBAC) for Infrastructure
Role-Based Access Control (RBAC) is the practice of managing privileged access
to infrastructure through a central directory of users, roles, and teams.
Authorization is granted to groups (or roles) within a company directory. This
allows individuals to be access secured infrastructure by simply authenticating
their identity, usually through a Single Sign-on (SSO) solution tied to the
Teleport supports all major SSO providers, including
Auth0 and many others.
Who can Benefit from RBAC?
Using RBAC instead of individually-managed authorization and
authentication methods (such as SSH keys or VPN logins) means
companies can now control user group permissions within their
organization but also grant controlled and seamless access to
third-party teams. This is useful for:
- supervised_user_circleCompany-wide compliance teams overseeing multiple infrastructure and engineering groups who use both Kubernetes and SSH.
- view_comfyManage service providers (MSPs) that manage Kubernetes and generic server clusters for clients.
- settings_system_daydreamRemote support teams from software vendors who wish to manage remote on-site Kubernetes clusters.
- cloud_circleInternet-of-Things (IoT) edge cloud management from a centralized location.
Meet Compliance Requirements
RBAC is used to secure the infrastructure and meet compliance requirements
around privileged (SSH) access. Specifically, it enables security and systems
engineers to enforce security and compliance policies such as:
Multi-factor authentication (MFA). Integrating with
company-wide SSO enables two-factor authentication (2FA)
for SSH sessions using the same access control plane,
simplifying management and audit.
Enforce infrastructure and data compliance.
Isolate production environments and production data from
specific roles and teams, or limit access to certain roles
and teams. Enforce policies like "Developers must never see production data with ease.
Compliant process for onboarding and transferring employees.
Ensure privileged access permissions stay up-to-date as individuals switch roles or leave the company.
Prohibit root access for all roles. Teleport RBAC
allows security administrators to remove the need to use
root privileges. RBAC also separates SSH permissions
management from server management.
Overall, the result of implementing RBAC is a reduction in
operational overhead. Administrators can control (add, modify,
and revoke) privileged access for teams or individuals from one
place, while users can get access authorization without needing
to manage SSH keys or VPN credentials.