Akeyless RBAC follows least privilege principle, in order to limit access rights for users / machines to the bare minimum permissions they need to perform their work.
We associate specific clients with a certain auth method to a role, allowing multiples of each, in order to increase operational flexibility. The user can define any number of rules with permissions per each role.
Associate an authentication method with a role:
akeyless create-auth-method --name client1 akeyless create-role --name role1
Enable all the authentication methods associated with a role to access all items under /path/to/folder/ with read, create, and update permissions:
akeyless set-role-rule --role-name role1 --path /path/to/folder/* --capability read --capability create --capability update
Deny all the authentication methods associated with a role to access the item /path/to/folder/topSecret:
akeyless set-role-rule --role-name role1 --path /path/to/folder/topSecret --capability deny
Add client1 to the role1, so client1 will be able to access all items under /path/to/folder/ apart from /path/to/folder/topSecret:
akeyless assoc-role-am --role-name role1 --am-name client1
Configure access role of "Jenkins environment" with API-key auth method ("Client1"), setting specific permissions per different paths.
Sub claims is an additional layer of permissions that are relevant only to SAML, LDAP, OpenID, Okta (the specific list of permissions vary between auth methods).
Updated 3 months ago
|Part 3: Encryption Technology|