Smallstep SSH

Configuring Access Control


You will need:

  • An account on the smallstep platform. Need one → Register here
  • SSO and User Sync configured and functioning
  • Hosts Registered with Tags


The following features are supported:

  • Access control by Host Tags configuration using Groups synchronized from your IDP

Step By Step Instructions

Step 0: Understanding Host Tags

Host Tags are used to create logical groups of hosts to simplify access control. Rather than granting groups of users access host-by-host, you can grant access to a tag combination. All hosts with that tag combination are automatically added as part of the host grant.

Let's look at an example:

  • A host tag combination of db: dev gives you access to myserver #1.
  • A host tag combination of db: prod gives you access to myserver #2 and myserver #3.

Step 1: Determine Host Tag Combination

Sign in at[TEAM NAME]

  • Click on “Hosts”
  • Find and select a Host that includes the Host Tags you wish to use for access grants.
    • In the example below that combination is database : production.
  • Make a note of the tag combination, you will need this in Step 2

Step 2: Grant User Group Access to Host(s)

You should see two Directories. The “Smallstep” directory contains Administrators who can manage the application. The other directory contains users and groups synchronized from your identity provider.

  • Select your identity provider directory
  • Click the “GROUPS” tab.

  • Select the User Group that you want to configure for access control. You will see the user group detail page with a list of existing Host Grants and a form to add additional grants.
    • Enter the tag values from Step 1
    • If Sudo access is permitted for this user group, select the “Allow Sudo” checkbox
    • Click the checkmark to enable access control

  • All users in the group now have access to all hosts with the specified tag combination.