The Access Graph
Navigating the Border0 Access Graph
The Access Graph is a directed acyclic graph in which edges represent the "flow of access". Nodes can be:
- Users
- Groups
- Service Accounts
- Policies
- Sockets
In an Access Graph, flow goes from Users and/or Service Accounts to Sockets, providing valuable information along the way regarding group membership and policy references.
For example the access graph above is for socket "fancy-dew". From the access graph we learn that:
- Users "Adriano" and "Greg" are members of group "site-reliability-engineering"
- Users "Adriano" and "Greg" are referenced in policy "default"
- User "Pedro" is referenced in policy "fdghmn"
- Service Account "terraform-example" is referenced in policies "default" and "fdghmn"
- Group "site-reliability-engineering" is referenced in policy "fdghmn"
- The policies "default" and "fdghmn" are attached to socket "fancy-dew"
Overall we learn that the users "Adriano", "Greg", "Pedro", and Service Account "terraform-example" all have access to the "fancy-dew" socket.
Perspectives
Depending on the type of access graph (i.e. whether its for a User, Group, Service Account, Policy, or Socket) certain information will omitted for the graph in order to maintain the emphasis on the current node.
- User Access Graphs do not show other users or service accounts
- Service Account Access Graphs do not show other users or service accounts
- Group Access Graphs do not show other groups nor policies that do not directly reference the group
- Policy Access Graphs do not show groups that are not directly referenced in the policy
- Socket Access Graphs do not show other sockets
Updated 7 months ago