Sym Approval Flows

Sym's Approval Flows let you to grant temporary access to sensitive resources in no time.


Sym's Approval Flows allow users to request temporary and auto-expiring access to sensitive resources. The requests are routed through fully-customizable escalation pathways via Sym's Python SDK, with the majority of the request-approve cycle taking place in Sym's Slack app.

As requests move through the Sym system, all events are logged for audit purposes. These audits are made available via Kinesis, which can then be connected downstream to any number of customer-owned destinations. For more information on logging, see: Reporting Overview.

Flow anatomy

Approval Flows all extend a base template, and are constructed of three key elements:


What it defines


  • Name of the Flow
  • Path to SDK implementation
  • Flow Params, including the strategy used by the Flow and the fields an end-user will see.


  • Type, e.g. aws_iam, okta, custom
  • A list of targets


  • Type, e.g. aws_iam_role
  • Settings (e.g. arn), which will be dependent on Type.

For a full list of first-party Strategies, see Sym Access Targets; for custom Strategy reference, see Custom Integrations.

In addition, a Flow is likely to contain reference to an environment, which itself will contain a collection of integrations common to one or more Flows (e.g. Slack and PagerDuty).


The sym:approval Template is defined at sym.sdk.templates.approval.html.

Did this page help you?