The Access Graph

Navigating the Border0 Access Graph

The Access Graph is a directed acyclic graph in which edges represent the "flow of access". Nodes can be:

  • Users
  • Groups
  • Service Accounts
  • Policies
  • Sockets

In an Access Graph, flow goes from Users and/or Service Accounts to Sockets, providing valuable information along the way regarding group membership and policy references.

An access graph depicting how users Adriano, Greg, and Pedro have access to socket "fancy-dew"

Access Graph for Socket "fancy-dew"

For example the access graph above is for socket "fancy-dew". From the access graph we learn that:

  • Users "Adriano" and "Greg" are members of group "site-reliability-engineering"
  • Users "Adriano" and "Greg" are referenced in policy "default"
  • User "Pedro" is referenced in policy "fdghmn"
  • Service Account "terraform-example" is referenced in policies "default" and "fdghmn"
  • Group "site-reliability-engineering" is referenced in policy "fdghmn"
  • The policies "default" and "fdghmn" are attached to socket "fancy-dew"

Overall we learn that the users "Adriano", "Greg", "Pedro", and Service Account "terraform-example" all have access to the "fancy-dew" socket.


Depending on the type of access graph (i.e. whether its for a User, Group, Service Account, Policy, or Socket) certain information will omitted for the graph in order to maintain the emphasis on the current node.

  • User Access Graphs do not show other users or service accounts
  • Service Account Access Graphs do not show other users or service accounts
  • Group Access Graphs do not show other groups nor policies that do not directly reference the group
  • Policy Access Graphs do not show groups that are not directly referenced in the policy
  • Socket Access Graphs do not show other sockets