Reference » Services » Authorization » Global Permissions
As of Conjur appliance version 4.5.0, you can grant certain roles the ability to bypass permission checks, allowing them to take any actions or view any resources.
elevate ability to a role gives that role complete control over your Conjur permissions
model: do so with caution, and understand that this involves placing a great deal of trust in the
person to whom this ability is granted.
reveal ability grants read-only access to your entire permissions model. While this is not
as powerful as
elevate, access to information about a permissions model can give malicious actors
an advantage. Accordingly, you should only grant this ability to people you trust.
Note that neither ability gives a user the ability to hide her tracks: all actions are audited, and the audit records indicate that actions were taken using elevate or reveal.
Granting either ability to a non-human identity is not recommended.
Users who can
reveal can be given permission to grant those abilities to others. This does
not happen by default, and should generally be used sparingly to enforce principle of least privilege.
When a client wants to use a special privilege, it sends a special HTTP header
addition to the normal token authorization. The value of this header can be either
To decide whether the role making the request should be granted the special privilege, the Conjur server
checks whether their role has a corresponding permission on a special resource
!:!:conjur. If the request
header specifies the
elevate privilege and the authenticated role has permission
elevate on resource
!:!:conjur, all permission checks are bypassed for the request. Similarly, if the header specifies
and the authenticated role has permission
reveal on resource
!:!:conjur, permission checks that determine
which roles, resources and assets are visible to that role will be bypassed.
Since the special privileges are implemented as permissions on a specific resource, you grant them using the normal process for granting permissions on a resource.
Initially, the admin user created when you configure your appliance for the first time has both
reveal permissions on the
!:!:conjur resource, and both privileges are have the grant option flag
set to true. See the documentation for resource permit
for details about granting permissions.
Version 4.27.0 of the Conjur CLI introduces support for the elevate and reveal features. To use them,
you can prefix a normal Conjur CLI command with
reveal. For example, to show every resource
id in your permission model (regardless of which resources are visible to your role), you can use this command:
conjur reveal resource list -i
A common use case for
elevate is to retire a user. Because retire requires the ability to revoke all of the user's
memberships, it's quite easy to create a 'stubborn' user that cannot be retired. To retire a "stubborn" user, you
can use a command like this:
conjur elevate user retire some-stubborn-user
You can grant a user
reveal using the command line like this:
# grant 'elevate' privileges to a user 'alice' $ conjur resource permit '!:!:conjur' 'user:alice' elevate Permission granted # grant reveal privileges to a user 'bob' $ conjur resource permit '!:!:conjur' 'user:bob' reveal Permission granted
It can also be useful to see which roles have these permissions:
# Show roles that can use the 'elevate' privilege conjur resource permitted_roles '!:!:conjur' elevate [ "account:user:alice", "account:user:admin", "!:!:root" ] # Show roles that can use the 'reveal' privilege conjur resource permitted_roles '!:!:conjur' reveal [ "account:user:bob", "account:user:admin", "!:!:root" ]
Note: the role
"!:!:root" is a special role created when the appliance is initialized because all
Conjur resources (including
!:!:conjur) must have an owner. It isn't possible to login as this role,
but it does show up in the output of Conjur calls.
Support for global permissions was added in version 4.19.0 of the Conjur Ruby API.
Conjur::API class has a
privilege attribute that can be set to
'elevate' to perform requests
with the corresponding privilege. You can also use the
#with_privilege method to create a copy of an API instance
with it's privilege set to the specified value. For example,
api = Conjur::API.new_from_key login, key # ...do stuff with API # Do something that needs to be elevated api.with_privilege('elevate').role(roleid).grant_to(other_roleid) # ...continue to do stuff with the original API
Any request that carries a Conjur authentication token can be performed using a special privilege by setting the
X-Conjur-Privilege header to
reveal. If the role given by the token isn't allowed to use the
specified privilege, the request will fail with a
403 Forbidden status.
For example, to list all variables, whether or not the current role can normally see them, we can use this curl command:
curl -H "$token_header" \ -H "X-Conjur-Privilege: reveal" \ --cacert ~/conjur-myorg.pem \ https://conjur/api/authz/myorg/resources/variable