Configuring Access Duration

Sym Flows can be configured to provide escalated access for variable durations before automatically deescalating on a timer.


Sym workflows support variable access durations, so you can tune each Target's access policies to your exact needs.

Duration will generally behave as you expect it to:

  • SaaS applications like Okta and GitHub will escalate, and subsequently deescalate via direct API calls.
  • RPC-triggered workflows like AWS Lambda and Custom Strategies will call their respective endpoints, once for escalation, and again for deescalation.
  • AWS identities, which are primarily governed by their own session timers, will allow a user to begin assumption of an escalated role during the escalation period. See AWS IAM and AWS SSO for details.

Configuring duration


Duration is required where applicable

Duration is required for Access Flows where a Strategy is defined and the schedule_deescalation Flow Parameter is set to true. If you supply a prompt field named duration, it must be set as required, and must include allowed_values following the rules below.

If you do not supply a prompt field named duration, Sym will include a field for you with default values of 30s, 10m, and 1h.

Duration for Sym requests are strings that require unit suffixes similar to how expirations are handled on symflow bot tokens.

Allowed unit suffixes:

  • s – seconds
  • m – minutes
  • h – hours
  • d – days
  • mo – months (30 days)

params example

params {
  strategy_id =
  prompt_field {
    name = "reason"
    type = "string"
    required = true
  prompt_field {
    name = "duration"
    type = "duration"
    required = true
    allowed_values = ["10s", "1m", "1h", "1d"]

Accessing duration in the SDK

The duration selected when making a request is exposed in the SDK via the event.payload.fields dictionary, as with other field data: event.payload.fields["duration"].

To work with the duration value (for example, to automatically approve requests under a certain duration using a hook), note the following:

  • The duration value in the SDK is always expressed as a numeric string in seconds, even if the allowed durations were specified using suffixes in Terraform. For example, if one of the allowed_values for duration is 6h, in the SDK this would be expressed as 21600.
  • Since the duration is a string, it will need to be casted to an int for numeric operations or comparisons.


def on_request(evt):
    seconds_in_week = 604800
    duration = evt.payload.fields["duration"]

    if int(duration) < seconds_in_week:
        return ApprovalTemplate.approve()