teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Ability to require reason for access request

Open programmerq opened this issue 2 years ago • 9 comments

What would you like Teleport to do?

Add the ability to set a policy to make a reason required for an access request to be submitted.

What problem does this solve?

Improves user experience for environments with audit/compliance policies that require a reason. Currently, an explicit denial process is required to ensure this requirement. Adding the ability to mark a reason as required would allow both tsh and the web UI to prompt for a reason without the end user needing to remember that it's required.

This is separate from the forced access request feature that can prompt for a reason. This is meant for a team that only occasionally needs access to privileged resources, and they don't need to do access requests for their day-to-day work.

If a workaround exists, please include it.

programmerq avatar Jan 12 '23 22:01 programmerq

See also #7560 and #11504.

We don't see much value in making the reason required, because the reviewer still has to determine if the reason is valid.

Entering a reason of . is basically equivalent to not specifying a reason, so this requirement can be trivially bypassed.

zmb3 avatar Mar 17 '23 16:03 zmb3

+1 to the request for audit purposes. User plans to follow up manually and review the reasons were valid and take corrective action from there

pschisa avatar Oct 20 '23 18:10 pschisa

+1 for making this option available.

I'm unclear on why teleport would care what the "valid reason" is? Since it's being reviewed by a person for approval, that would be on us to determine if it's a real reason or a .? Having the ability to require a reason would be one step in ensuring there's an initial valid reason upon the request being submitted vs a blank entry.

rhanooman12 avatar Oct 24 '23 14:10 rhanooman12

Having the ability to require the reason is a good thing - certainly people can just put in a "." , but then you can go train and weed out the bad actors that are not following the procedure.

jkarchut-v4 avatar Jan 22 '24 21:01 jkarchut-v4

+1 as sometimes users just forget to put a reason, putting a "." is different as the user just doesn't want to follow the procedure

othmane399 avatar Feb 19 '24 10:02 othmane399

Making the reason mandatory field can force the user to think about it at least ... there are cases where users don't write anything just because they forget.

It may be up to the approver to decide, but the reason field is also useful when you look back all requests and try to understand why they were needed.

ploutarchos avatar Mar 05 '24 10:03 ploutarchos

+1 on allowed us to make it required. We also require a reason for auto approval based on if you're on call in pagerduty, so if you forget to enter a reason in the heat of an incident, auto approval doesn't go through.

toni-rib-skydio avatar May 28 '24 18:05 toni-rib-skydio

The ability to set a regex for validation of the reason would also work around the . issue. Nothing is going to be perfect, but requiring a reason that matches a pattern would be vastly preferable to the status quo.

webvictim avatar Jun 12 '24 14:06 webvictim

Making the reason field mandatory on Access Requests would be useful, I agree with many of the points above.

andrewbks avatar Jun 24 '24 09:06 andrewbks

This is implemented and backported to v17 https://github.com/gravitational/teleport/releases/tag/v17.0.3

changelog: Added support for requiring reason for Access Requests (with a new role.spec.allow.request.reason.mode setting).

Docs:

  • https://goteleport.com/docs/ver/17.x/reference/resources/#role (spec.allow.request.reason in role ref)
  • https://goteleport.com/docs/ver/17.x/admin-guides/access-controls/access-requests/access-request-configuration/#requiring-request-reasons

kopiczko avatar Dec 04 '24 20:12 kopiczko