Approval-Only Flows
For auditable Approvals without escalation targets, look no further!
Overview
Approval-Only Flows enable you to use Sym as an approval gate, but without explicit escalation or deescalation of privileged access.
In an Approval-Only Flow, a Strategy is not specified. Instead, Sym will collect information from the requestor, present any approvers with the normal Approve/Deny dialog, and record the result for audit and reporting.


In this configuration, the Sym SDK works as normal through the Approve
step, at which point the Flow executes any post-approval SDK actions and then terminates. This is ideal for scenarios where you don't actually need to escalate but still want a flexible, audited approval, as in the case of Sym's CircleCI integration.


Sym Flows can be kicked off via API, too
Sym's Events API can be used instead of Slack to move through the Prompt + Request stages of a Sym Flow.
Example Terraform
Approval-Only Flows are fairly straight-forward in their definition. The Flow's params
are configured as with a Sym Access Flow, except strategy_id
and duration
are both omitted.
# Pure Approval Flow β no escalation or de-escalation
resource "sym_flow" "this" {
name = "approval"
label = "Approval"
template = "sym:template:approval:1.0.0"
implementation = "${path.module}/impl.py"
environment_id = sym_environment.this.id
params = {
# Note: No strategy ID!
prompt_fields_json = jsonencode([
{
name = "resource"
label = "What do you need access to?"
type = "string"
required = true
},
{
name = "reason"
label = "Why do you need access?"
type = "string"
required = true
}
])
}
}
Approval-Only Flows must omit
strategy_id
andduration
If
strategy_id
is included, Sym will assume you are creating an Access Flow. Ifstrategy_id
is omitted, thenduration
must not be included in theprompt_fields_json
.
Updated about 1 month ago