The Access Graph

The Access Graph is a directed acyclic graph in which edges represent the "flow of access". Nodes can be:

• Users
• Groups
• Service Accounts
• Policies
• Sockets

In an Access Graph, flow goes from Users and/or Service Accounts to Sockets, providing valuable information along the way regarding group membership and policy references.

For example the access graph above is for socket "fancy-dew". From the access graph we learn that:

• Users "Adriano" and "Greg" are members of group "site-reliability-engineering"
• Users "Adriano" and "Greg" are referenced in policy "default"
• User "Pedro" is referenced in policy "fdghmn"
• Service Account "terraform-example" is referenced in policies "default" and "fdghmn"
• Group "site-reliability-engineering" is referenced in policy "fdghmn"
• The policies "default" and "fdghmn" are attached to socket "fancy-dew"

Overall we learn that the users "Adriano", "Greg", "Pedro", and Service Account "terraform-example" all have access to the "fancy-dew" socket.

Perspectives

Depending on the type of access graph (i.e. whether its for a User, Group, Service Account, Policy, or Socket) certain information will omitted for the graph in order to maintain the emphasis on the current node.

• User Access Graphs do not show other users or service accounts
• Service Account Access Graphs do not show other users or service accounts
• Group Access Graphs do not show other groups nor policies that do not directly reference the group
• Policy Access Graphs do not show groups that are not directly referenced in the policy
• Socket Access Graphs do not show other sockets