# Nested Access Lists Nested Access Lists allow inclusion of an Access List as a member or owner of another Access List. This enables hierarchical permission structures where permissions can be inherited from multiple levels of parent Access Lists. This guide will help you: - Understand how nesting and inheritance work in Access Lists - Create a nested Access List - Verify inherited permissions granted through the nested Access List ## How it works Let's break down inheritance in Access Lists. Imagine two Access Lists you might have in an organization: "Engineering Team" and "Production Access". "Engineering Team" represents a group of engineers, while "Production Access" is a higher-level Access List that grants access to production resources. - **Membership Inheritance**: If "Engineering Team" is added as a member of "Production Access", all users who are members of "Engineering Team" inherit member grants (roles and traits) from "Production Access". - **Ownership Inheritance**: If "Engineering Team" is added as an owner of "Production Access", all users who are members of "Engineering Team" inherit owner grants (roles and traits) from "Production Access", and can perform owner actions, such as modifying it or managing its members. Inheritance is recursive – members of "Engineering Team" can themselves be Access Lists with their own members, and so on. However, circular nesting is not allowed, and nesting is limited to a maximum depth of 10 levels. For more information, see the [Access Lists reference](https://goteleport.com/docs/reference/access-controls/access-lists.md). ## Prerequisites - A running Teleport Enterprise (v17.0.1 or higher) cluster. If you want to get started with Teleport, [sign up](https://goteleport.com/signup) for a free trial or [set up a demo environment](https://goteleport.com/docs/get-started/deploy-community.md). - The `tctl` and `tsh` clients. Installing `tctl` and `tsh` clients 1. Determine the version of your Teleport cluster. The `tctl` and `tsh` clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at `/v1/webapi/find` and use a JSON query tool to obtain your cluster version. Replace teleport.example.com:443 with the web address of your Teleport Proxy Service: ``` $ TELEPORT_DOMAIN=teleport.example.com:443 $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" ``` 2. Follow the instructions for your platform to install `tctl` and `tsh` clients: **Mac** Download the signed macOS .pkg installer for Teleport, which includes the `tctl` and `tsh` clients: ``` $ curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg ``` In Finder double-click the `pkg` file to begin installation. --- DANGER Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. --- **Windows - Powershell** ``` $ curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip Unzip the archive and move the `tctl` and `tsh` clients to your %PATH% NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP. Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\) instead. ``` **Linux** All of the Teleport binaries in Linux installations include the `tctl` and `tsh` clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our [installation page](https://goteleport.com/docs/installation.md). ``` $ curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz $ cd teleport $ sudo ./install Teleport binaries have been copied to /usr/local/bin ``` * To check that you can connect to your Teleport cluster, sign in with `tsh login`, then verify that you can run `tctl` commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and email\@example.com to your Teleport username: ``` $ tsh login --proxy=teleport.example.com --user=email@example.com $ tctl status Cluster teleport.example.com Version 18.7.3 CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678 ``` If you can connect to the cluster and run the `tctl status` command, you can use your current credentials to run subsequent `tctl` commands from your workstation. If you host your own Teleport cluster, you can also run `tctl` commands on the computer that hosts the Teleport Auth Service for full permissions. * A user with the default `editor` role or equivalent permissions (ability to read, create, and manage Access Lists). * Familiarity with basic Access List concepts (see the [Getting Started with Access Lists guide](https://goteleport.com/docs/identity-governance/access-lists/guide.md)). * At least one user with only the `requester` role to add to the Access List. * At least one application or resource to grant access to. Let's walk through creating a nested Access List and establishing inheritance. In this example, we'll create a child Access List, "Engineering Team", which inherits permissions from a parent, "Production Access". ## Step 1/3. Create child Access List In the Teleport Web UI, go to the "Identity" tab and select "Access Lists" from the sidebar. Click on "Create New Access List", and fill in the details: - **Title**: Engineering Team - **Deadline for First Review**: Select a future date. - **Member Grants**: Leave this empty, as the list will inherit the parent's member grants. - **Owners**: Add yourself or any appropriate users as owners. - **Members**: Add users who should be part of this Access List, such as `test-user`. Click "Create Access List" to save the Access List. ## Step 2/3. Create parent Access List From the "Access Lists" page, click on "Create New Access List" and fill in the details for our parent list: - **Title**: Production Access - **Deadline for First Review**: Select a future date. - **Member Grants**: Add the `access` role. - **Owners**: Add yourself or any appropriate users as owners. - **Members**: Select our child Access List, 'Engineering Team', from the dropdown. Click "Create Access List" to save the Access List. ## Step 3/3. Verifying inherited permissions To confirm that members of "Engineering Team" have inherited member grants from "Production Access", log in as a user who is a member of the child Access List (e.g., `test-user`). Verify that the user now has access to resources granted by both "Engineering Team" and "Production Access". For example, if a Teleport Application Service instance with the debugging application enabled is set up, and the `access` role is granted through "Production Access", the "dumper" app should be visible to the user. ## Next Steps - Review the [Access Lists reference](https://goteleport.com/docs/reference/access-controls/access-lists.md) for more detailed information on Access Lists' nesting and inheritance. - Learn how nested Access Lists work with Okta/SCIM synchronization in [Synchronization with Okta and SCIM](https://goteleport.com/docs/identity-governance/integrations/okta/app-and-group-sync.md).