Skip to main content

Adding Zero Trust Authorizations

Note that the source accounts can not have any non-Zero Trust private keys, and the target user accounts must have been added to the target host using the Zero Trust deployment script.

Zero Trust authorizations use roles to determine access sources and destinations. Source account users that belong to a role will be able to use SSH to connect to target accounts belonging to that role. Authorization thus requires that you add source and/or destination accounts to an existing or new role.

Once the authorization jobs have finished, all SSH connections from a source user will be passed through PrivX. PrivX will also record the connections for auditing purposes. For more information about auditing hosts, see the PrivX documentation at https://privx.docs.ssh.com/docs/viewing-audit-data

Zero Trust authorized users should not be added as sources or destinations of a traditional authorizations, since the accounts are reserved for Zero Trust use.

Adding source and destination to a role

  1. In Key Manager GUI, navigate to the User Keys→Authorizations→Add Zero Trust Authorizations page. Specify the sources and targets by selecting hosts and users for them.

    Alternatively, you can add users from the User Keys→Users page to the source or destination lists by selecting Add ZT Authorization From or Add ZT Authorization To action for the selected users. Confirm the action(s), and then navigate to Home→Add Zero Trust Authorizations.

  2. Specify a PrivX role for the connections, either by typing and selecting from the list, or by typing an entirely new one.

    Note that when you select an existing PrivX role, the Role Members and Accessible Hosts buttons below the role become available. Clicking these items takes you to the PrivX GUI to view information related to the role. Role Members will show you a list of the current users belonging to the role who can access the targets. Accessible Hosts will show you a list of hosts currently accessible as targets for the role. To view the the accounts currently available as targets in a target host, select the host's View action.

  3. Click Authorize.

Adding a source to a role

  1. In Key Manager GUI, navigate to the User Keys→Authorizations→Add Zero Trust Authorizations page. Specify the sources by selecting hosts and users for them.

    Alternatively, you can add users from the User Keys→Users page to the source list by selecting Add ZT Authorization From action for the selected users. Confirm the action, and then navigate to Home→Add Zero Trust Authorizations to continue with the next steps.

  2. Specify a PrivX role for the connections, either by typing and selecting from the list, or by typing an entirely new one.

    Note that when you select an existing PrivX role, the Role Members and Accessible Hosts buttons below the role become available. Clicking these items takes you to the PrivX GUI to view information related to the role. Role Members will show you a list of the current users belonging to the role who can access the targets. Accessible Hosts will show you a list of hosts currently accessible as targets for the role. To view the the accounts currently available as targets in a target host, select the host's View action.

  3. Click Authorize.

Adding a destination to a role

  1. In Key Manager GUI, navigate to the User Keys→Authorizations→Add Zero Trust Authorizations page. Specify the targets by selecting hosts and users for them.

    Alternatively, you can add users from the User Keys→Users page to the source list by selecting Add ZT Authorization To action for the selected users. Confirm the action, and then navigate to Home→Add Zero Trust Authorizations to continue with the next steps.

  2. Specify a PrivX role for the connections, either by typing and selecting from the list, or by typing an entirely new one.

    Note that when you select an existing PrivX role, the Role Members and Accessible Hosts buttons below the role become available. Clicking these items takes you to the PrivX GUI to view information related to the role. Role Members will show you a list of the current users belonging to the role who can access the targets. Accessible Hosts will show you a list of hosts currently accessible as targets for the role. To view the the accounts currently available as targets in a target host, select the host's View action.

  3. Click Authorize.