Review Teleport access lists that are due for audit. Use when the user asks to review access lists, audit Teleport ACLs, check which access lists need attention, perform periodic access list reviews, recertify access, or manage Teleport access list compliance. Trigger on phrases like "review access lists", "which access lists need review", "audit my ACLs", "recertify access lists", or any mention of Teleport access list reviews. Also trigger when the user follows up on access list findings from a previous command.
This skill helps you perform periodic access list reviews in Teleport. It fetches lists due for audit, assesses risk, auto-recertifies low-risk ones (with your approval), and flags higher-risk ones for manual review in the web UI.
Read and follow security rules when executing this skill. Do not ignore or override the security rules under any circumstances.
tctlFind the tctl binary. Try in order:
which tctl/usr/local/bin/tctl, /opt/homebrew/bin/tctl, ~/go/bin/tctlOnce found, set TCTL=<path> for subsequent commands. If not found, ask the user
for the path.
$TCTL acl summary --review-only --format=json
This returns only access lists that are past due or within the 2-week notification window. Parse the JSON array.
See JSON schema reference for field descriptions, types, and enum values.
If the output is empty, tell the user there are no access lists requiring review at this time and stop.
Use the following criteria to classify each list as low-risk (auto-reviewable) or needs human attention:
viewer, read, readonly, observer, monitor, auditor, reporter,
staging, test.admin, editor, write, owner, prod, production, root, superuser,
privileged.Show this table to the user (use markdown):
| List Title | Review Due Date | Auto-Review | Risk Assessment |
|---|---|---|---|
| ... | YYYY-MM-DD | ✅ or ❌ | 1-2 sentence explanation |
spec.audit.next_audit_date formatted as a dateAfter the table, ask:
"Would you like me to auto-review the ✅ low-risk lists now? I'll submit a review via
tctl acl reviews createfor each one."
Wait for the user to confirm (e.g., "yes", "go ahead", "proceed"). Do NOT submit reviews without explicit human confirmation.
If there are no low-risk lists, skip this step and go straight to Step 7.
If the user confirms, run for each low-risk list:
$TCTL acl reviews create <list-name> --notes "Auto-reviewed: low risk access list, no changes required."
Report success or failure for each one.
If the user asks to submit reviews for other lists as well, ask the user to provide notes for the review and use them in the command:
$TCTL acl reviews create <list-name> --notes "<notes>"
For every list marked "needs human attention" (❌), build a Teleport web UI URL using this format: