Skip to main content
Version: 1.4

Revoking User or Robot Access

As a workspace administrator, you can immediately revoke access for users or robots in your workspace.

  • Users get access by assuming roles or accessing a cluster.
  • Robots get access when users assign roles to them.

View or revoke user access

You can see which users currently have permissions to access clusters in your workspace by viewing live sessions. A live session starts when a user has requested access permissions by running either of these commands:

As an administrator, you can then revoke any live session if needed.

For more information, see Assumption Policies.

To view or revoke live sessions: CLI

  1. List all live sessions in your workspace:

    wf sessions --all

    NAME                        PLAN           SUBJECT              EXPIRES IN  AGE
    cluster.admin-assume-tjh2d cluster.admin 7h59m 1h23s
  2. To revoke access, find the username whose access you want to revoke in the SUBJECT column, and then delete the session (NAME column):

    wf sessions NAME --revoke

    The session name is the assumption policy associated with that user's wf assume ROLE session.

To view or revoke live sessions: UI

  1. In the Wayfinder UI, navigate to Access policy > Live sessions.

    Live sessions page

    This page shows all live sessions on all clouds for your workspace, including:

    • Session name
    • Subject–the username of the user who has access in this session
    • Role–the role this user has assumed
    • Cluster/Namespace–the cluster and namespace being accessed
    • Expires–the amount of time left on this session to access the cluster
    • Session status
  2. To revoke access, find the username whose access you want to revoke, and then click Revoke access for that username.

View or revoke robot access

You can see what access a robot has in your workspace by listing the policies for the role(s) assigned to that robot. As a workspace administrator, you can then revoke the robot's access by deleting the relevant policy.

For more information, see:

To view or revoke robot access:

  1. Get the assignment policy for the robot you want:

    wf get policy --robot ROBOT-NAME

    NAME                              ROLE                ENABLED    STATUS     AGE
    cluster.deployment-assign-fkbdl cluster.deployment true Success 7m22s
  2. To revoke the robot's access, delete its assignment policy (in the NAME column):

    wf delete policy NAME