Attribute-Based Access Control with Sub-Claims


Deeper Dive

For more in-depth information, check out our detailed documentation on the following topics:

Role-Based Access Control



Need any help?

If something in this tutorial isn't working as expected, feel free to contact our support team via Slack.

What are Sub-Claims?

Sub-claims provide a mechanism for organizations to implement fine-grained, attribute-based access control.

As noted in the Role-Based Access Control tutorial, sub-claims are policies for authentication methods that can be defined within a role that gives specific groups or users within those groups authorization to use that role. Sub-claims can be something like a group name and email address to limit access to a specific user or some other identifier that gives access to any number of users, or specific user, for the given authentication method. Sub-claims are added when an authentication method is associated with an access role.

What's in this Video?

In this tutorial, we walk you through how an organization might set up Akeyless within the organization. The example here starts with an IT Administrator who is effectively the admin of Akeyless at the company. The admin gives privileged access to the backend development team leader within a defined path. The team leader then gives more specific access to their team members so they only have access to the secrets they need to use.

This is all done with an authentication method that has specific access roles and specific resource permissions in order to ensure each end user has only the access they need.