Defining Who Can Approve Requests

By default, anyone can approve Sym requests, but it doesn't have to be that way.

Overview

Out of the box, the Sym SDK provides a single, simple toggle to declare whether users can approve their own requests:

from sym.sdk.annotations import reducer
from sym.sdk.integrations import slack

@reducer
def get_approvers(event):
    return slack.channel("#sym-requests", allow_self=False)

Beyond this, there are multiple ways to determine approval behavior, up to and including full automations based on custom SDK logic.

Concepts

You can block user actions with ApprovalTemplate.ignore()

In addition to the transition methods used to Automate and Fast-Track Approvals, the Sym SDK provides a special method that can be used to simply block user interaction without causing a transition, and send a message back to the acting user.

from sym.sdk.annotations import hook
from sym.sdk.templates import ApprovalTemplate

@hook
def on_approve(event):
    return ApprovalTemplate.ignore(message="No one can ever approve this request!")

The on_approve hook is the best place to check + block approvers

Assuming a request has been made successfully and appears in a Slack channel or message, the next step along the happy path is for someone to "approve" the request.

2801

The Sym state machine, with the on_approve step highlighted

Approving a request will trigger any on_approve hook to fire, prior to executing the approval itself, and any subsequent escalation.

In the below example, only members of a specific Okta group will be able to approve requests:

from sym.sdk.annotations import hook
from sym.sdk.templates import ApprovalTemplate
from sym.sdk.integrations import okta

@hook
def on_approve(event):
    if not okta.is_user_in_group(event.user, group_id=event.flow.vars["okta_managers_group"]):
        return ApprovalTemplate.ignore(message="Only managers may approve access requests.")

on_deny is a separate event, but works exactly the same way

Similar to on_approve, Sym provides an on_deny hook that you can use as a checkpoint to ensure only approved people or groups are able to reject requests. This is a less common application, as denying a request tends to have no direct consequence other than creating a need to re-request; but it works exactly as you'd expect:

from sym.sdk.annotations import hook
from sym.sdk.templates import ApprovalTemplate
from sym.sdk.integrations import okta

@hook
def on_deny(event):
    if not okta.is_user_in_group(event.user, group_id=event.flow.vars["okta_managers_group"]):
        return ApprovalTemplate.ignore(message="Only managers may deny access requests.")