docs: Add warning to avoid deny rules in Access Lists

gravitational · Oct 24, 2024 · 75f71c3 · 75f71c3
1 parent 8841cdd
commit 75f71c3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/docs/pages/reference/access-controls/access-lists.mdx b/docs/pages/reference/access-controls/access-lists.mdx
@@ -168,6 +168,14 @@ spec:
       - required_value1
 ```
 
+## Access Lists and Deny Rules
+
+Granting roles with [`deny` rules](../../reference/roles.mdx) in Access Lists is discouraged.
+Prefer directly assigning roles containing `deny` rules to users.
+
+If a user's membership or ownership in an Access List cannot be resolved at login,
+the user will not receive its grants, thereby bypassing any Deny rules that may have been in place.
+
 ## Managing Access Lists from the CLI
 
 In addition to using the web UI, Access Lists can be created and managed from the CLI

diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx
@@ -12,6 +12,7 @@ A Teleport role manages access by having two lists of rules: `allow` rules and
 
 - Nothing is allowed by default.
 - Deny rules get evaluated first and take priority.
+- Deny rules should be avoided on roles granted through Access Lists.
 
 You can use any of the following to manage Teleport roles and other dynamic
 resources:
@@ -570,7 +571,7 @@ attribute or OIDC claim called `trait`.
 
 You can specify an external trait in dot syntax if it begins with a letter and
 contains only letters, numbers, and underscores. Otherwise, you must use bracket
-syntax to specify a trait. 
+syntax to specify a trait.
 
 When using Azure AD or ADFS as your IdP, you must use bracket notation, as these
 IdPs assign attribute keys to URLs such as the following: