From 75f71c3085c9a557bc01c0b7bd08a21fddcea769 Mon Sep 17 00:00:00 2001 From: Maxim Dietz Date: Thu, 24 Oct 2024 16:07:26 -0400 Subject: [PATCH] docs: Add warning to avoid `deny` rules in Access Lists --- docs/pages/reference/access-controls/access-lists.mdx | 8 ++++++++ docs/pages/reference/access-controls/roles.mdx | 3 ++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/pages/reference/access-controls/access-lists.mdx b/docs/pages/reference/access-controls/access-lists.mdx index d66225075443b..4ec3fdbeebdea 100644 --- a/docs/pages/reference/access-controls/access-lists.mdx +++ b/docs/pages/reference/access-controls/access-lists.mdx @@ -168,6 +168,14 @@ spec: - required_value1 ``` +## Access Lists and Deny Rules + +Granting roles with [`deny` rules](../../reference/roles.mdx) in Access Lists is discouraged. +Prefer directly assigning roles containing `deny` rules to users. + +If a user's membership or ownership in an Access List cannot be resolved at login, +the user will not receive its grants, thereby bypassing any Deny rules that may have been in place. + ## Managing Access Lists from the CLI In addition to using the web UI, Access Lists can be created and managed from the CLI diff --git a/docs/pages/reference/access-controls/roles.mdx b/docs/pages/reference/access-controls/roles.mdx index 10989cd5b2484..405891c3863ba 100644 --- a/docs/pages/reference/access-controls/roles.mdx +++ b/docs/pages/reference/access-controls/roles.mdx @@ -12,6 +12,7 @@ A Teleport role manages access by having two lists of rules: `allow` rules and - Nothing is allowed by default. - Deny rules get evaluated first and take priority. +- Deny rules should be avoided on roles granted through Access Lists. You can use any of the following to manage Teleport roles and other dynamic resources: @@ -570,7 +571,7 @@ attribute or OIDC claim called `trait`. You can specify an external trait in dot syntax if it begins with a letter and contains only letters, numbers, and underscores. Otherwise, you must use bracket -syntax to specify a trait. +syntax to specify a trait. When using Azure AD or ADFS as your IdP, you must use bracket notation, as these IdPs assign attribute keys to URLs such as the following: