Sym Flows are buildable, configurable, auditable workflows that you can run in Slack to request and approve access production infrastructure and resources.
Sym Flows allow users to request temporary and auto-expiring access to sensitive resources. The requests are routed through fully-customizable escalation pathways via Sym's Python SDK, with the majority of the request-approve cycle taking place in Sym's Slack app.
Steps of a Sym Flow
All Sym Flows follow the same series of steps:
- Prompt: a user sees all available Access Targets
- Request: a user selects a Target and their request is routed for Approval
- Approve/Deny: the Request is resolved, either by human action or an SDK rule
- Escalate: If approved, the user's access is escalated in the Target system
- Deescalate: After a duration, the user's access is deescalated.
Flows can be triggered via Slack or API; all human steps take place in Slack; and the escalate/deescalate cycle is handled via Sym's various integrations
Sym Flows can be kicked off via API, too
Sym's Events API can be used instead of Slack to move through the Prompt + Request stages of a Sym Flow.
Audit and reporting
As a request moves through Sym, every step is logged for audit and reporting purposes. These audits are made available via the Reporting Framework, which can be connected downstream to any number of customer-owned destinations. The most common configurations are:
- Logging to Datadog
- Logging via AWS Kinesis Firehose, with reports viewed in AWS Athena
Approval-only Flows enable you to use Sym as an approval gate, but without explicit escalation or deescalation of privileged access.
In an Approval-only Flow, no Targets are specified. Instead, Sym will collect information from the requestor, present any approvers with the normal Approve/Deny dialog, and record the result for audit and reporting. Approval-only Flows can also be customized with Python SDK code at any step, the most common use for which is running AWS Lambdas in a safe, auditable context.
Approval-Only Flows must omit
strategy_idis included, Sym will assume you are creating an Access Flow. If
strategy_idis omitted, then
durationmust not be included in the
For more information, see our Terraform Provider Docs.
Updated 11 days ago