Defining Who Can Approve Requests
By default, anyone can approve Sym requests, but it doesn't have to be that way.
This is a mini-guide
This page is intended to practically introduce a handful basic Sym concepts, all of which are covered elsewhere in greater detail.
This page includes references to:
It also builds on concepts introduced in:
Out of the box, the Sym SDK provides a single, simple toggle to declare whether users can approve their own requests:
from sym.sdk.annotations import reducer from sym.sdk.integrations import slack @reducer def get_approvers(event): return slack.channel("#sym-requests", allow_self=False)
Beyond this, there are multiple ways to determine approval behavior, up to and including full automations based on custom SDK logic.
You can block user actions with
In addition to the transition methods used to Automate and Fast-Track Approvals, the Sym SDK provides a special method that can be used to simply block user interaction without causing a transition, and send a message back to the acting user.
from sym.sdk.annotations import hook from sym.sdk.templates import ApprovalTemplate @hook def on_approve(event): return ApprovalTemplate.ignore(message="No one can ever approve this request!")
on_approve hook is the best place to check + block approvers
on_approvehook is the best place to check + block approvers
Assuming a request has been made successfully and appears in a Slack channel or message, the next step along the happy path is for someone to "approve" the request.
Approving a request will trigger any
on_approve hook to fire, prior to executing the approval itself, and any subsequent escalation.
In the below example, only members of a specific Okta group will be able to approve requests:
from sym.sdk.annotations import hook from sym.sdk.templates import ApprovalTemplate from sym.sdk.integrations import okta @hook def on_approve(event): if not okta.is_user_in_group(event.user, group_id=event.flow.vars["okta_managers_group"]): return ApprovalTemplate.ignore(message="Only managers may approve access requests.")
on_deny is a separate event, but works exactly the same way
on_denyis a separate event, but works exactly the same way
on_approve, Sym provides an
on_deny hook that you can use as a checkpoint to ensure only approved people or groups are able to reject requests. This is a less common application, as denying a request tends to have no direct consequence other than creating a need to re-request; but it works exactly as you'd expect:
from sym.sdk.annotations import hook from sym.sdk.templates import ApprovalTemplate from sym.sdk.integrations import okta @hook def on_deny(event): if not okta.is_user_in_group(event.user, group_id=event.flow.vars["okta_managers_group"]): return ApprovalTemplate.ignore(message="Only managers may deny access requests.")
Updated 10 days ago