Sym

Sym Docs

Welcome to the Sym docs!

Sym is the security workflow platform made for engineers, by engineers. We build primitives for best-practice controls so you don't have to!

If you're not sure where to start, check out Sym Concepts, or read the Sym Manifesto.
If you're implementing a Sym Flow, you might also want to check out our SDK Docs.

    

sym:approval

The approval template allows you to grant temporary access to sensitive resources like EC2 instances, S3 buckets, or databases.

The sym:approval allows users to request temporary and auto-expiring access to sensitive resources, called Targets. The requests are routed through fully-customizable escalation pathways, and a variety of community Targets are available.

👍

The sym:approval Template is defined at sym.sdk.templates.ApprovalTemplate.

Demo

Params

Flows that inherit from sym:approval require you to specify the following parameters.

Name

Description

strategy_id

The ID of a Strategy. A Strategy has a set of Targets, and knows how to grant access to them.

fields

A field allows you to collect information from a user who's requesting access to a resource.

params = {
    strategy_id = sym_strategy.okta.id

    fields = [{
      name = "reason"
      type = "string"
      required = true
    }, {
      name = "urgency"
      type = "list"
      label = "Urgency"
      required = false
      allowed_values = [ "Low", "Medium", "High" ]
    }]
  }

Steps

This template has several steps, each of which has a default implementation. You can override these implementations by implementing hooks in a Flow that inherits from sym:approval.

prompt

The prompt event fires when a user indicates their desire to request access to a resource (e.g. by using the /sym request Slack command). It reads the set of Targets from the Strategy specified in your Terraform.

request

The request event fires when a user has selected a Target to request access to, completing the necessary fields.

It reads the set of approvers to present the request to from the get_approvers reducer, and the text for the message to send to approvers from the get_title and get_message reducers.

It also reads the expiration time for this request from the get_timeout reducer, and schedules an expire event accordingly.

approve

The approve event fires when a user's request to access a given Target has been approved.

deny

The deny event fires when a user has been denied access to a given Target.

escalate

The escalate event fires when a user has successfully been granted access to a Target, via a Strategy.

deescalate

The deescalate event fires when a user's access to a Target has successfully been revoked.

Reducers

There are also several reducers available.

get_approvers

The only required reducer. Accepts an Event with a user and a target, and returns either a single User-like object, or a list of User-like objects.

get_timeout

Optional. Returns a datetime.timedelta indicating how long a request should remain pending before expiring.

get_title

Optional. Returns a string which customizes the title of the message sent to approvers.

get_message

Optional. Returns a string which customizes the body of the message sent to approvers.

Updated 11 days ago


What's Next

Use this template in a Flow! Learn how below.

Flows

sym:approval


The approval template allows you to grant temporary access to sensitive resources like EC2 instances, S3 buckets, or databases.

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.