Sym Flows

Sym Flows are buildable, configurable, auditable workflows that you can run in Slack to request and approve access production infrastructure and resources.


Sym Flows allow users to request temporary and auto-expiring access to sensitive resources. The requests are routed through fully-customizable escalation pathways via Sym's Python SDK, with the majority of the request-approve cycle taking place in Sym's Slack app.


Steps of a Sym Flow

All Sym Flows follow the same series of steps:

  • Prompt: a user sees all available Access Targets
  • Request: a user selects a Target and their request is routed for Approval
  • Approve/Deny: the Request is resolved, either by human action or an SDK rule
  • Escalate: If approved, the user's access is escalated in the Target system
  • Deescalate: After a duration, the user's access is deescalated.

Flows can be triggered via Slack or API; all human steps take place in Slack; and the escalate/deescalate cycle is handled via Sym's various integrations


The five steps of a Sym Flow


Sym Flows can be kicked off via API, too

Sym's Events API can be used instead of Slack to move through the Prompt + Request stages of a Sym Flow.

Audit and reporting

As a request moves through Sym, every step is logged for audit and reporting purposes. These audits are made available via the Reporting Framework, which can be connected downstream to any number of customer-owned destinations. The most common configurations are:

Approval-only Flows

Approval-only Flows enable you to use Sym as an approval gate, but without explicit escalation or deescalation of privileged access.


In an Approval-only Flow, no Targets are specified. Instead, Sym will collect information from the requestor, present any approvers with the normal Approve/Deny dialog, and record the result for audit and reporting. Approval-only Flows can also be customized with Python SDK code at any step, the most common use for which is running AWS Lambdas in a safe, auditable context.


A Sym Approval-only Flow


Approval-Only Flows must omit strategy_id and duration

If strategy_id is included, Sym will assume you are creating an Access Flow. If strategy_id is omitted, then duration must not be included in the prompt_fields_json.

For more information, see our Terraform Provider Docs.