gravitational · tigrato · Jun 27, 2025 · Jun 27, 2025
diff --git a/api/proto/teleport/legacy/types/events/events.proto b/api/proto/teleport/legacy/types/events/events.proto
@@ -77,6 +77,9 @@ enum UserKind {
 
   // Indicates the user associated with this event is a Machine ID bot user.
   USER_KIND_BOT = 2;
+
+  // Indicates that the user associated with this event is a system component e.g. Okta service.
+  USER_KIND_SYSTEM = 3;
 }
 
 // UserOrigin is the origin of a user account.

diff --git a/api/types/events/events.pb.go b/api/types/events/events.pb.go
diff --git a/gen/proto/go/prehog/v1/teleport.pb.go b/gen/proto/go/prehog/v1/teleport.pb.go
diff --git a/gen/proto/go/prehog/v1alpha/teleport.pb.go b/gen/proto/go/prehog/v1alpha/teleport.pb.go
diff --git a/gen/proto/ts/prehog/v1/teleport_pb.ts b/gen/proto/ts/prehog/v1/teleport_pb.ts
diff --git a/gen/proto/ts/prehog/v1alpha/teleport_pb.ts b/gen/proto/ts/prehog/v1alpha/teleport_pb.ts
diff --git a/lib/tlsca/ca.go b/lib/tlsca/ca.go
@@ -1244,9 +1244,15 @@ func (id Identity) GetUserMetadata() events.UserMetadata {
 		}
 	}
 
-	userKind := events.UserKind_USER_KIND_HUMAN
-	if id.BotName != "" {
+	_, systemRoleCheckErr := types.NewTeleportRoles(id.Groups)
+	var userKind events.UserKind
+	switch {
+	case id.BotName != "":
 		userKind = events.UserKind_USER_KIND_BOT
+	case len(id.SystemRoles) > 0 || systemRoleCheckErr == nil && len(id.Groups) > 0:
+		userKind = events.UserKind_USER_KIND_SYSTEM
+	default:
+		userKind = events.UserKind_USER_KIND_HUMAN
 	}
 
 	return events.UserMetadata{

diff --git a/lib/tlsca/ca_test.go b/lib/tlsca/ca_test.go
@@ -38,6 +38,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
+	"github.com/gravitational/teleport/api/types"
 	apievents "github.com/gravitational/teleport/api/types/events"
 	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/cryptosuites"
@@ -552,6 +553,39 @@ func TestIdentity_GetUserMetadata(t *testing.T) {
 				UserKind: apievents.UserKind_USER_KIND_HUMAN,
 			},
 		},
+		{
+			name: "user metadata for auth system role",
+			identity: Identity{
+				Username: "system.teleport.name",
+				Groups:   []string{string(types.RoleAuth)},
+			},
+			want: apievents.UserMetadata{
+				User:     "system.teleport.name",
+				UserKind: apievents.UserKind_USER_KIND_SYSTEM,
+			},
+		},
+		{
+			name: "user metadata for discovery system role",
+			identity: Identity{
+				Username: "system.teleport.name",
+				Groups:   []string{string(types.RoleDiscovery)},
+			},
+			want: apievents.UserMetadata{
+				User:     "system.teleport.name",
+				UserKind: apievents.UserKind_USER_KIND_SYSTEM,
+			},
+		},
+		{
+			name: "user metadata for okta system role",
+			identity: Identity{
+				Username: "system.teleport.name",
+				Groups:   []string{string(types.RoleOkta)},
+			},
+			want: apievents.UserMetadata{
+				User:     "system.teleport.name",
+				UserKind: apievents.UserKind_USER_KIND_SYSTEM,
+			},
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {

diff --git a/lib/usagereporter/teleport/aggregating/reporter.go b/lib/usagereporter/teleport/aggregating/reporter.go
@@ -209,6 +209,8 @@ func convertUserKind(v1AlphaUserKind prehogv1alpha.UserKind) prehogv1.UserKind {
 		return prehogv1.UserKind_USER_KIND_BOT
 	case prehogv1alpha.UserKind_USER_KIND_HUMAN:
 		return prehogv1.UserKind_USER_KIND_HUMAN
+	case prehogv1alpha.UserKind_USER_KIND_SYSTEM:
+		return prehogv1.UserKind_USER_KIND_SYSTEM
 	default:
 		return prehogv1.UserKind_USER_KIND_UNSPECIFIED
 	}

diff --git a/lib/usagereporter/teleport/audit.go b/lib/usagereporter/teleport/audit.go
@@ -55,6 +55,8 @@ func prehogUserKindFromEventKind(eventsKind apievents.UserKind) prehogv1a.UserKi
 		return prehogv1a.UserKind_USER_KIND_BOT
 	case apievents.UserKind_USER_KIND_HUMAN:
 		return prehogv1a.UserKind_USER_KIND_HUMAN
+	case apievents.UserKind_USER_KIND_SYSTEM:
+		return prehogv1a.UserKind_USER_KIND_SYSTEM
 	default:
 		return prehogv1a.UserKind_USER_KIND_UNSPECIFIED
 	}

diff --git a/proto/prehog/v1/teleport.proto b/proto/prehog/v1/teleport.proto
@@ -75,6 +75,11 @@ enum UserKind {
   //
   // PostHog property value: "bot"
   USER_KIND_BOT = 2;
+
+  // Indicates that the user associated with this event is a system component e.g. Okta service.
+  //
+  // PostHog property value: "system"
+  USER_KIND_SYSTEM = 3;
 }
 
 // UserOrigin is the origin of a user account.

diff --git a/proto/prehog/v1alpha/teleport.proto b/proto/prehog/v1alpha/teleport.proto
@@ -201,6 +201,11 @@ enum UserKind {
   //
   // PostHog property value: "bot"
   USER_KIND_BOT = 2;
+
+  // Indicates that the user associated with this event is a system component e.g. Okta service.
+  //
+  // PostHog property value: "system"
+  USER_KIND_SYSTEM = 3;
 }
 
 // an event representing one of several audit events: session.start, port,