Overview

Approval-Only Flows enable you to use Sym as an approval gate, but without explicit escalation or deescalation of privileged access.

In an Approval-Only Flow, a Strategy is not specified. Instead, Sym will collect information from the requestor, present any approvers with the normal Approve/Deny dialog, and record the result for audit and reporting.

In this configuration, the Sym SDK works as normal through the Approve step, at which point the Flow executes any post-approval SDK actions and then terminates. This is ideal for scenarios where you don't actually need to escalate but still want a flexible, audited approval, as in the case of Sym's CircleCI integration.

📘

Sym Flows can be kicked off via API, too

Sym's Events API can be used instead of Slack to move through the Prompt + Request stages of a Sym Flow.

Example Terraform

Approval-Only Flows are fairly straight-forward in their definition. The Flow's params are configured as with a Sym Access Flow, except strategy_id and duration are both omitted.

# Pure Approval Flow — no escalation or de-escalation
resource "sym_flow" "this" {
  name  = "approval"
  label = "Approval"

  template       = "sym:template:approval:1.0.0"
  implementation = "${path.module}/impl.py"
  environment_id = sym_environment.this.id

  params = {
    # Note: No strategy ID!
 
    prompt_fields_json = jsonencode([
      {
        name     = "resource"
        label    = "What do you need access to?"
        type     = "string"
        required = true
      },
      {
        name     = "reason"
        label    = "Why do you need access?"
        type     = "string"
        required = true
      }
    ])
  }
}

📘

Approval-Only Flows must omit strategy_id and duration

If strategy_id is included, Sym will assume you are creating an Access Flow. If strategy_id is omitted, then duration must not be included in the prompt_fields_json.