Limiting users to view only their sessions

Ported from github question https://github.com/gravitational/teleport/issues/2599

Excuse me if it is an existing issue.
I want UserA to be able to view only UserA’s sessions on WebUI.
Is it possible with Teleport Community Edition?

1 Like

Right now it’s not possible to limit users to view only their sessions in the web ui neither in OSS nor in Enterprise versions of teleport.

1 Like

What if the users are within completely different Teleport roles?

1 Like

For now we can only completely turn off the users ability to view sessions:

For example, auditor role with no ability to SSH, but only view sessions:

kind: role
version: v3
metadata:
  name: auditor
spec:
  # SSH options used for user sessions 
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

  # Allow logins (bogus SSH principal is necessary to login into web UI
  allow:
    logins: ['this-login-does-not-exist']

    rules:
    - resources:
      - session
      verbs:
      - list
      - read

  # the deny section uses the identical format as the 'allow' section.
  # the deny rules always override allow rules.
  deny:
    node_labels:
      '*': '*'

Or here is the example role that does not allow session view but allows SSH logins:

kind: role
version: v3
metadata:
  name: user
spec:
  # SSH options used for user sessions 
  options:
    # max_session_ttl defines the TTL (time to live) of SSH certificates 
    # issued to the users with this role.
    max_session_ttl: 1h

  # Allow logins
  allow:
    logins: ['bob']
    node_labels:
      '*': '*'
  # Deny viewing sessions
  deny:
    rules:
    - resources:
      - session
      verbs:
      - list
      - read
2 Likes

Thank you for the information.
Just in case, Is Role function impossible with Teleport Community Edition?
Is my understanding correct?

# tctl get roles/admin > admin-role.yaml
# tctl create -f admin-role.yaml
error: creating resources of type "role" is not supported

Yes by default we all get into the admin role definition.
No other role function with Community Edition.
You can still ask for a trial version with the sales team.

1 Like

Thank you for answering!!

I want to know ENTERPRISE’s price.
Please kindly send me ENTERPRISE price list.

Please regard this topic closed.

Sorry @levkkuro,

I’m not working for gravitational, i’m just an user like you :slight_smile:
All the information are available through gravitational website.

1 Like

I’m sorry too!
I contact website.