Akeyless RBAC follows least privilege principle, in order to limit access rights for users / machines to the bare minimum permissions they need to perform their work.
Akeyless supports several types of Auth methods - API key, Okta, SAML, LDAP, Azure AD, OpenID and Universal Identity.
We associate specific clients with a certain auth method to a role, allowing multiples of each, in order to increase operational flexibility. The user can define any number of rules with permissions per each role.
Associate authentication method and a role:
akeyless create-auth-method --name client1 akeyless create-role --name role1
Enable all role's auth methods associated to access all items under '/path/to/folder/' with read, create and update permission:
akeyless set-role-rule --role-name role1 --path /path/to/folder/* --capability read --capability create --capability update
Deny all role's auth methods associated to access the item '/path/to/folder/topSecret':
akeyless set-role-rule --role-name role1 --path /path/to/folder/topSecret --capability deny
Add client1 to the role1, so client1 will be able to access all items under '/path/to/folder/' apart from '/path/to/folder/topSecret':
akeyless assoc-role-am --role-name role1 --am-name client1
Configure access role of "Jenkins environment" with API-key auth method ("Client1"), setting specific permissions per different paths.
Sub claims is an additional layer of permissions that are relevant only to SAML, LDAP, OpenID, Okta (the specific list of permissions vary between auth methods).
Updated about a month ago