Access Flows

The sym:approval template has several steps, each of which has a default implementation. You can override these implementations by implementing Workflow Handlers.

Overview

Sym's Access Flows allow users to request temporary and auto-expiring access to sensitive resources. The requests are routed through fully-customizable escalation pathways via Sym's Python SDK, with the majority of the request-approve cycle taking place in Sym's Slack app.

11201120

All Sym Approval Flows follow the same series of steps, any of which can be altered or overridden via Hooks and Reducers in the Python SDK.

The five steps of a Sym Approval flow are:

  • Prompt: a user sees all available Sym Access Targets
  • Request: a user selects a Target and their request is routed for Approval
  • Approve/Deny: the Request is resolved, either by human action or an SDK rule
  • Escalate: If approved, the user's access is escalated in the Target system
  • Deescalate: After a Duration, the user's access is deescalated

Flows can be triggered via Slack or API; all human steps take place in Slack; and the escalate/deescalate cycle is handled via Sym platform integrations.

As requests move through the Sym system, all events are logged for audit purposes. These audits are made available via the Reporting Framework, which can then be connected downstream to any number of customer-owned destinations.

23772377

πŸ“˜

Sym Flows can be kicked off via API, too

Sym's Events API can be used instead of Slack to move through the Prompt + Request stages of a Sym Flow.

Step details

prompt

The prompt event fires when a user indicates their desire to request access to a resource (e.g. by using the /sym request Slack command). It reads the set of Targets from the Strategy specified in your Terraform.

request

The request event fires when a user has selected a Target to request access to, completing the necessary fields.

It reads the set of approvers to present the request to from the get_approvers reducer.

It also reads the expiration time for this request from the get_timeout reducer, and schedules an expire event accordingly.

approve

The approve event fires when a user's request to access a given Target has been approved.

deny

The deny event fires when a user has been denied access to a given Target.

escalate

The escalate event fires when a user has successfully been granted access to a Target, via a Strategy.

deescalate

The deescalate event fires when a user's access to a Target has expired or has successfully been revoked.

Example Terraform

resource "sym_flow" "this" {
  name  = "okta"
  label = "Okta Group Request"

  # The template specifies that this is an Approval Flow
  template = "sym:template:approval:1.0.0"

  # The implementation file contains Python code 
  implementation = "${path.module}/impl.py"
  environment_id = sym_environment.this.id

  params = {
    # By specifying a strategy, the Approval Flow becomes an Access Flow.
    # And can manage access to the targets specified by the strategy.
    strategy_id = sym_strategy.okta.id

    # prompt_fields_json defines custom form fields for the Slack modal that
    # requesters fill out to make their requests.
    prompt_fields_json = jsonencode([
      {
        name     = "reason"
        label    = "Why do you need access?"
        type     = "string"
        required = true
      },
      {
        name           = "duration"
        type           = "duration"
        allowed_values = ["30m", "1h"]
        required       = true
      }
    ])
  }
}

Did this page help you?