Skip to main content
Version: 1.19.0 (latest)

Grant access with kziti

For the underlying model see kziti architecture.

Find the identity

If you know the identity name (a Kasm user email, a workspace name, or an external user identifier), you can use that directly. To browse:

kziti identity list

To search by substring or attribute:

kziti identity search 'name contains "alice"'

Kasm-managed identities have predictable names like kasm-user-<username>-<user-id-prefix>-<provider-id-prefix> and kasm-workspace-<workspace>-<image-id-prefix>-<provider-id-prefix>.

Three scopes of access

kziti access grant accepts three kinds of resource ID, in order of decreasing breadth:

  • A network ID (e.g. net-corp-a) — the identity gains access to every service in the network.
  • A service set ID (e.g. svcset-devops) — access to every service in the named set.
  • A service ID (e.g. svc-corp-a-gitlab) — access to a single service only.

Pick the narrowest scope that satisfies the requirement. Service-set grants are the common middle ground for groups of users who need access to a coherent set of services.

Grant access

To an entire network

kziti access grant alice@example.com net-corp-a

To a service set

kziti access grant alice@example.com svcset-devops

To a single service

kziti access grant alice@example.com svc-corp-a-gitlab

Adds the resource ID as a role attribute on the identity. Effective immediately for new sessions; existing tunnels may need to reconnect.

List grants for an identity

kziti access list alice@example.com

The output shows each access role attribute the identity holds (net-*, svcset-*, or svc-*), with a human-readable description of what it covers.

Who has access to a resource

The inverse of access list — given a resource, show every identity that can reach it:

# All identities with access to the corp-a network
kziti access who net-corp-a

# All identities with access to a service set
kziti access who svcset-devops

# All identities with access to a single service
kziti access who svc-corp-a-gitlab

Accepts the same resource IDs as grant and remove. For each matching identity the output shows the name, type (Kasm user, workspace, or external), and whether it currently has an active session. Use -o json (the global --output-format flag) for machine-readable output.

Revoke access

Use the same scope you used to grant:

kziti access remove alice@example.com svcset-devops

remove strips the role attribute immediately for new dial attempts; existing tunnels are not torn down. To terminate live sessions for a compromised identity, revoke the workspace mapping in Kasm to remove the identity entirely.