- SSO and User Sync configured and functioning
- Hosts Registered with Tags
The following features are supported:
Step By Step Instructions
Host Tags (key-value pairs) are the pillar our access control model. Rather than mapping people or groups directly to hosts, you'll map tag combinations to your hosts and to your user groups. First you'll put your hosts into logical groups using tags, eg.
staging. Then, you'll grant user groups access to all hosts with a specific tag combination. Finally, you'll choose which user group tag combinations will allow
sudo privileges on any matching hosts.
Let's look at an example:
developers group will have access to
myserver #1 only.
data group will have access to
myserver #2 and
ops group will have
sudo access to
myserver #2 and
Of course, hosts and groups can have as many tag combinations as you like. Take a minute to think about how you'd like to use Host Tags in your environment.
Step 1: Determine Host Tag Combination
Sign in at
- Choose "Hosts"
- Find and select a Host that includes the Host Tags you wish to use for access grants.
- Make a note of the tag combination, you will need this in Step 2
Step 2: Grant User Group Access to Host(s)
You should see two Directories. The "Smallstep" directory contains Administrators who can manage the application. The other directory contains users and groups synchronized from your identity provider.
- Select the User Group that you want to configure for access control. You will see the user group detail page with a list of existing Host Grants and a form to add additional grants.
- Enter the tag values from Step 1
- If Sudo access is permitted for this user group, select the "Allow Sudo" checkbox
- Click the checkbox to enable access control