Sign Up

Adding a Reason for Approve/Deny

Sym enables approvers/deniers to give context for their decision via a decision_message.

Suggest Edits

Overview

In some request scenarios, it may be useful (or required) for a decision-maker to provide additional context along with their decision. For example:

  • Some denials might have simple reasons, like, "Please make sure to include a valid reason and re-request."
  • Some security programs require that all approvals to certain targets come with their own rationale.
  • You might want to throw a nice note in with your approval or denial -- there's nothing wrong with that!

Implementation

Set include_decision_message to true in your sym_flow params. That's it! :confetti-ball:

resource "sym_flow" "circleci_approval" {
  name  = "ci-approval-${local.environment_name}"
  label = "CI Approval"

  implementation = file("${path.module}/impls/circleci_approval_impl.py")
  environment_id = sym_environment.this.id

  params {
    include_decision_message = true
    ...
  }

Every new request using this Flow with include_decision message = true will have a decision message input box. It is always optional to fill, but you can choose to make in mandatory by checking for a value in the Flow's on_approve or on_deny Hook(s) (see example below).

Request message with decision message input box.

After the decision message is entered in the request message and the user hits "Approve" or "Deny", it will be visible in the request message:

Approved message with text "Decision Message: Go forth and conquer!" Denied message with text "Decision Message: You don't need this access."

Making decision messages mandatory

The following example will reject any denials with a blank decision message:

@hook
def on_deny(event):
    if not event.payload.fields.get("decision_message"):
        return ApprovalTemplate.ignore(message="You must enter a decision message to deny this request.")

Updated about 2 months ago