Access Roles & RBAC

Role-Based Access Control

Akeyless RBAC follows the least privilege principle to limit access rights for machines/human users to the bare minimum of permissions they need to perform their work.

We associate specific clients with a certain Authentication Method to an Access Role to increase operational flexibility. The user can define any number of roles with permissions per each role.

CLI

Associate an authentication method with a role:

akeyless create-auth-method --name client1
akeyless create-role --name role1

Enable all the authentication methods associated with a role to access all items under /path/to/folder/ with read, create, and update permissions:

akeyless set-role-rule --role-name role1 --path "/path/to/folder/*" --capability read --capability create --capability update

Deny all the authentication methods associated with a role to access the item /path/to/folder/topSecret:

akeyless set-role-rule --role-name role1 --path /path/to/folder/topSecret --capability deny

Add client1 to the role1, so client1 will be able to access all items under /path/to/folder/ apart from /path/to/folder/topSecret:

akeyless assoc-role-am --role-name role1 --am-name client1

UI

Configure access role of "Jenkins environment" with API-key auth method ("Client1"), setting specific permissions per different paths.

📘

Please note

Sub claims are an additional layer of permissions that are relevant only to SAML, LDAP, OpenID, Okta, JWT, K8s auth (the specific list of permissions varies between auth methods).


Did this page help you?