sym:approval

The approval template allows you to grant temporary access to sensitive resources like EC2 instances, S3 buckets, or databases.

The sym:approval allows users to request temporary and auto-expiring access to sensitive resources, called Targets. The requests are routed through fully-customizable escalation pathways, and a variety of community Targets are available.

πŸ‘

The sym:approval Template is defined at sym.sdk.templates.ApprovalTemplate.

Demo

Params

Flows that inherit from sym:approval require you to specify the following parameters.

Name

Description

strategy_id

The ID of a Strategy. A Strategy has a set of Targets, and knows how to grant access to them.

fields

A field allows you to collect information from a user who's requesting access to a resource.

params = {
    strategy_id = sym_strategy.okta.id

    fields = [{
      name = "reason"
      type = "string"
      required = true
    }, {
      name = "urgency"
      type = "list"
      label = "Urgency"
      required = false
      allowed_values = [ "Low", "Medium", "High" ]
    }]
  }

Steps

This template has several steps, each of which has a default implementation. You can override these implementations by implementing hooks in a Flow that inherits from sym:approval.

prompt

The prompt event fires when a user indicates their desire to request access to a resource (e.g. by using the /sym request Slack command). It reads the set of Targets from the Strategy specified in your Terraform.

request

The request event fires when a user has selected a Target to request access to, completing the necessary fields.

It reads the set of approvers to present the request to from the get_approvers reducer, and the text for the message to send to approvers from the get_title and get_message reducers.

It also reads the expiration time for this request from the get_timeout reducer, and schedules an expire event accordingly.

approve

The approve event fires when a user's request to access a given Target has been approved.

deny

The deny event fires when a user has been denied access to a given Target.

escalate

The escalate event fires when a user has successfully been granted access to a Target, via a Strategy.

deescalate

The deescalate event fires when a user's access to a Target has successfully been revoked.

Reducers

There are also several reducers available.

get_approvers

The only required reducer. Accepts an Event with a user and a target, and returns either a single User-like object, or a list of User-like objects.

get_timeout

Optional. Returns a datetime.timedelta indicating how long a request should remain pending before expiring.

get_title

Optional. Returns a string which customizes the title of the message sent to approvers.

get_message

Optional. Returns a string which customizes the body of the message sent to approvers.


What’s Next

Use this template in a Flow! Learn how below.

Did this page help you?