With Sym and Aptible you can get the benefits of flexible just-in-time role assignments and escalations with a great GRC platform.

For example, Sym can help limit access to certain roles except when needed with approval. This will further improve your security posture by reducing default access and requiring approval for escalations.



Do you have an Aptible account?

To complete this setup, you'll need an Aptible account with permissions to create bot users.

Setting up an Aptible bot user and connecting to Sym

  1. Create a "bot" user for the integration. Sym will use these credentials to make API requests to Aptible.

  2. Securely store the "bot" user credentials.

You'll store your "bot" user credentials in AWS Secrets Manager in the same account where you provisioned your Runtime Connector. Contact us if you'd like to use an alternative secrets store.


Runtime Connectors support optional permissions using the addon input. Ensure that your Runtime Connector is provisioned with the aws/secretsmgr addon enabled.

resource "aws_secretsmanager_secret" "aptible" {
  name        = "/symops.com/connector/aptible"
  description = "Aptible User Credentials for Sym"

  tags = {
    "SymEnv" = var.environment

Now you can use Aptible Roles from Sym!

Example implementation

To provision an Aptible Strategy for use in a Flow, define the following resources in Terraform:

data "sym_integration" "aptible" {
  type = "aptible"
  name = "aptible-prod"
resource "sym_flow" "this" {
  name = "aptible_access"
  label = "Aptible Access"
  params = {
    strategy_id = sym_strategy.this.id

# A Strategy uses an Integration to grant people access to Targets
resource "sym_strategy" "this" {
  type = "aptible"

  integration_id = data.sym_integration.aptible.id
  targets        = [sym_target.admin_prod, sym_target.admin_ro]

# A Target something Sym is managing access to
resource "sym_target" "admin_prod" {
  type  = "aptible_role"

  settings = {
    role_id = "24463EF7-1D6E-402E-A365-69CB6DB80C6E"

resource "sym_target" "admin_ro" {
  type  = "aptible_role"

  settings = {
    role_id = "C7D5F21A-1D4E-4B39-9957-F8ACABDE2A3A"

Did this page help you?