# Teleport Community Edition Role Access Requests

Just-in-time Access Requests are a feature of Teleport Enterprise.

Teleport Community Edition users can get a preview of how Access Requests work by requesting a role using the Teleport CLI. Full Access Request functionality, including Resource Access Requests and an intuitive and searchable UI are available in Teleport Enterprise.

## RBAC security setup

Teleport's role-based access control (RBAC) allows you to configure what roles users can request access to. In this example, we will define two roles:

- `contractor`: users with this role can request elevated access to the `dba` role
- `dba`: this role grants access to databases

There is no role for request approvers, because request approval rules can only be configured for Teleport Enterprise. In Teleport Community Edition, approvals must be performed by running `tctl` on the Teleport Auth Service.

**Contractor role**

Users with this role can request access to the `dba` role.

```
kind: role
version: v5
metadata:
  name: contractor
spec:
  allow:
    request:
      roles: ['dba']

```

Define this role in the file `contractor-role.yaml` and create it with `tctl`:

```
$ tctl create contractor-role.yaml
```

---

TIP

You can also create and edit roles using the Web UI. Go to **Access -> Roles** and click **Create New Role** or pick an existing role to edit.

---

Use `tctl` to assign this role to a user (`alice` in this example):

```
$ tctl users update --set-roles \
    $(tctl get users/alice --format=json | jq -r '.[].spec.roles | join(",")'),contractor alice
```

**DBA role**

This role grants access to databases.

```
kind: role
version: v5
metadata:
  name: dba
spec:
  allow:
    db_labels:
      '*': '*'
  options:
    # Only allows the contractor to use this role for 1 hour from time of request.
    max_session_ttl: 1h

```

Define this role in the file `dba-role.yaml` and create it with `tctl`:

```
$ tctl create dba-role.yaml
```

## Requesting Access

In Teleport Community Edition, requests are made from the `tsh` CLI. To create an access request, use the `tsh request create` command.

```
$ tsh request create \
    --roles=dba \
    --reviewers=bob \
    --reason="performing DB migration tonight"
```

By default, this command will block until the request is approved. To submit the request without waiting for approval, add the `--nowait` flag.

Alternatively, `tsh` can automatically create an Access Request during the login process. To activate this behavior, specify the `--request-roles` flag:

```
$ tsh login --user=alice --request-roles=dba
Seeking request approval... (id: bc8ca931-fec9-4b15-9a6f-20c13c5641a9)
```

This will wait for the request to be approved, and then issue credentials with the `dba` role automatically when the request is approved.

To log in and submit the request without waiting for approval, add the `--request-nowait` flag. In this scenario, you will receive your regular roles upon login, and can elevate your access after the request is approved.

```
log in with an approved access request
$ tsh login --request-id=bc8ca931-fec9-4b15-9a6f-20c13c5641a9
```

You can list requests using `tsh request ls`.

```
$ tsh request ls
Token                                Requestor Metadata       Created At (UTC)    Status
------------------------------------ --------- -------------- ------------------- -------
bc8ca931-fec9-4b15-9a6f-20c13c5641a9 alice     roles=dba      07 Nov 19 19:38 UTC PENDING
```

## Reviewing requests

In Teleport Community Edition, Access Requests must be reviewed by a cluster administrator with the ability to run `tctl` on the Auth Service.

Administrators can list requests with `tctl requests ls`, and view the details of a particular request with `tctl requests get <id>`.

To approve or deny a request, use `tctl request approve` or `tctl request deny`. For example, to deny a request:

```
$ tctl request deny \
    --reason="today's migration has been canceled" \
    bc8ca931-fec9-4b15-9a6f-20c13c5641a9
```

---

WARNING

Granting access to a role with the ability to edit other roles could allow a user to **permanently** upgrade their privileges. When reviewing requests, it's important to carefully consider the role(s) being requested and what permissions will be applied to the user if the request is approved.

---

Reviewers can approve the request while also overriding the set of roles in the request:

```
$ tctl request approve \
    --roles="db-support" \
    --reason="approved access to db-support, dba is not necessary" \
    bc8ca931-fec9-4b15-9a6f-20c13c5641a9
```

## Next Steps

- Learn more about [Access Requests](https://goteleport.com/docs/identity-governance/access-requests.md)
- See what additional features are available for [role requests](https://goteleport.com/docs/identity-governance/access-requests/role-requests.md) in Teleport Enterprise
- Request access to [specific resources](https://goteleport.com/docs/identity-governance/access-requests/resource-requests.md) with Teleport Enterprise