[v17] Detail DAC and TAG integration from the user perspective (#50427)

* Detail DAC and TAG integration from the user perspective * Change wording to make linter happy. * Fix broken links and spacing * Update docs/pages/admin-guides/teleport-policy/database-access-controls.mdx Co-authored-by: STeve (Xin) Huang <[email protected]> * Update screenshots. Drop redundant instructions and merge the information into an existing suitable page. --------- Co-authored-by: STeve (Xin) Huang <[email protected]>
gravitational · Dec 19, 2024 · 278db35 · 278db35
1 parent 2b7e177
commit 278db35
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 0 deletions.
diff --git a/docs/img/access-graph/dac/db-object-contains-relation.png b/docs/img/access-graph/dac/db-object-contains-relation.png
diff --git a/docs/img/access-graph/dac/db-object-details.png b/docs/img/access-graph/dac/db-object-details.png
diff --git a/docs/img/access-graph/dac/db-object-permissions-label.png b/docs/img/access-graph/dac/db-object-permissions-label.png
diff --git a/docs/img/access-graph/dac/overview.png b/docs/img/access-graph/dac/overview.png
diff --git a/docs/pages/admin-guides/teleport-policy/policy-connections.mdx b/docs/pages/admin-guides/teleport-policy/policy-connections.mdx
@@ -71,6 +71,32 @@ can be identified by having `Temporary: true` property.
 
 Resource Groups are created from Teleport roles.
 
+### Database Access Controls
+
+Teleport supports [object-level permissions](../../enroll-resources/database-access/rbac.mdx#executing-database-object-permission-rules) for select database protocols.
+
+The database objects-level access information is automatically synchronized to Teleport Policy, making it possible to see who has particular levels of access to the different parts of the database.
+
+When you inspect a particular user's access, the Teleport Access Graph will automatically display the database objects that the user can access.
+
+![Overview of access including individual database objects](../../../img/access-graph/dac/overview.png)
+
+To see more details about a specific database object, simply select it.
+
+<Figure width="400">
+![Details of an individual database object](../../../img/access-graph/dac/db-object-details.png)
+</Figure>
+
+In the graph, database objects are connected by multiple edges:
+
+1. There is exactly one edge connecting the object to its parent database resource. This edge has "contains" label.
+
+![Database object and parent database resource](../../../img/access-graph/dac/db-object-contains-relation.png)
+
+2. At least one edge shows the permissions associated with the object, such as `INSERT, SELECT, UPDATE`. If multiple roles grant permissions to the same object, additional edges of this type may be present. The permissions are presented as edge labels.
+
+![Specific object permissions](../../../img/access-graph/dac/db-object-permissions-label.png)
+
 #### Resources
 
 Resources are created from Teleport resources like nodes, databases, and Kubernetes clusters.