Terminology and concepts
The team is the top-level organizational concept in Advanced Server Access. A team fundamentally consists of a unique name and an associated identity provider (IdP).
All other configuration objects in Advanced Server Access are scoped to a team.
Identity Provider (IdP)
Every team has an identity provider (such as Okta) that users authenticate to using the team's authentication method. The IdP is the source of truth for that user's identity and current access. Different identity providers support different authentication methods (such as OAuth or SAML).
A user is a person who belongs to a team and authenticates with that team's identity provider. The permissions of a user in Advanced Server Access are determined by their group memberships.
Users authorize clients to be added to their client inventory so they can receive credentials.
Server user accounts
User accounts on Linux and Windows servers can be managed by the Advanced Server Access agent. See User management.
A service user is an abstraction for services or software automation which can be granted specific authorizations in Advanced Server Access. Like users, service users belong to teams, and their permissions are determined by their group memberships. Service users can be used for automating actions against the Advanced Server Access API, or be granted credentials to servers. See Service users.
The Advanced Server Access client is installed on a device (such as a laptop or workstation) that a user uses to access infrastructure. The Advanced Server Access client manages the dynamic credentials on the device so the user can transparently access Advanced Server Access-managed resources. See Install the Advanced Server Access client.
Groups are used to grant permissions (such as administrative configuration rights) to users within the Advanced Server Access dashboard and API, and can be linked to projects to grant permissions within that project. See About groups.
The project is the organizational concept in Advanced Server Access which connects resources (such as servers or internal services) with Role-Based Access Control (RBAC) configurations. You can think of it like a domain in Active Directory or a realm in Kerberos. See Projects.
You can also think of projects as programmable Certificate Authorities which issue ephemeral certificates in accordance with your RBAC configurations.
Each of these certificates contains at least the following information:
- The Advanced Server Access project for which the certificate was issued
- The username to be used on the server of the Advanced Server Access user to whom the certificate was issued
- The time at which the certificate expires
Since Advanced Server Access credentials are short-lived and scoped to a project, if a credential is compromised by an attacker, the attacker has a very limited window of time to use the certificate before it expires and it's only of use against resources in that project.