Configuring Access Duration
Sym Flows can be configured to provide escalated access for variable durations before automatically deescalating on a timer.
Overview
Sym workflows support variable access durations, so you can tune each Target's access policies to your exact needs.
Duration will generally behave as you expect it to:
- SaaS applications like Okta and GitHub will escalate, and subsequently deescalate via direct API calls.
- RPC-triggered workflows like AWS Lambda and Custom Strategies will call their respective endpoints, once for escalation, and again for deescalation.
- AWS identities, which are primarily governed by their own session timers, will allow a user to begin assumption of an escalated role during the escalation period. See AWS IAM and AWS SSO for details.
Configuring duration
Duration is required where applicable
Duration is required for Access Flows where a Strategy is defined and the
schedule_deescalation
Flow Parameter is set totrue
. If you supply a prompt field namedduration
, it must be set asrequired
, and must includeallowed_values
following the rules below.If you do not supply a prompt field named
duration
, Sym will include a field for you with default values of 30s, 10m, and 1h.
Duration for Sym requests are strings that require unit suffixes similar to how expirations are handled on symflow
bot tokens.
Allowed unit suffixes:
s
– secondsm
– minutesh
– hoursd
– daysmo
– months (30 days)
params
example
params
exampleparams {
strategy_id = sym_strategy.this.id
prompt_field {
name = "reason"
type = "string"
required = true
}
prompt_field {
name = "duration"
type = "duration"
required = true
allowed_values = ["10s", "1m", "1h", "1d"]
}
}
Accessing duration in the SDK
The duration selected when making a request is exposed in the SDK via the event.payload.fields
dictionary, as with other field data: event.payload.fields["duration"]
.
To work with the duration value (for example, to automatically approve requests under a certain duration using a hook), note the following:
- The
duration
value in the SDK is always expressed as a numeric string in seconds, even if the allowed durations were specified using suffixes in Terraform. For example, if one of theallowed_values
forduration
is6h
, in the SDK this would be expressed as21600
. - Since the
duration
is a string, it will need to be casted to anint
for numeric operations or comparisons.
Example
@hook
def on_request(evt):
seconds_in_week = 604800
duration = evt.payload.fields["duration"]
if int(duration) < seconds_in_week:
return ApprovalTemplate.approve()
Updated 6 months ago