The approval template allows you to grant temporary access to sensitive resources like EC2 instances, S3 buckets, or databases.

The sym:approval allows users to request temporary and auto-expiring access to sensitive resources, called Targets. The requests are routed through fully-customizable escalation pathways, and a variety of community Targets are available.


The sym:approval Template is defined at sym.sdk.templates.ApprovalTemplate.



Flows that inherit from sym:approval require you to specify the following parameters.




The ID of a Strategy. A Strategy has a set of Targets, and knows how to grant access to them.


A field allows you to collect information from a user who's requesting access to a resource.

params = {
    strategy_id =

    fields = [{
      name = "reason"
      type = "string"
      required = true
    }, {
      name = "urgency"
      type = "list"
      label = "Urgency"
      required = false
      allowed_values = [ "Low", "Medium", "High" ]


This template has several steps, each of which has a default implementation. You can override these implementations by implementing hooks in a Flow that inherits from sym:approval.


The prompt event fires when a user indicates their desire to request access to a resource (e.g. by using the /sym request Slack command). It reads the set of Targets from the Strategy specified in your Terraform.


The request event fires when a user has selected a Target to request access to, completing the necessary fields.

It reads the set of approvers to present the request to from the get_approvers reducer, and the text for the message to send to approvers from the get_title and get_message reducers.

It also reads the expiration time for this request from the get_timeout reducer, and schedules an expire event accordingly.


The approve event fires when a user's request to access a given Target has been approved.


The deny event fires when a user has been denied access to a given Target.


The escalate event fires when a user has successfully been granted access to a Target, via a Strategy.


The deescalate event fires when a user's access to a Target has successfully been revoked.


There are also several reducers available.


The only required reducer. Accepts an Event with a user and a target, and returns either a single User-like object, or a list of User-like objects.


Optional. Returns a datetime.timedelta indicating how long a request should remain pending before expiring.


Optional. Returns a string which customizes the title of the message sent to approvers.


Optional. Returns a string which customizes the body of the message sent to approvers.

What’s Next

Use this template in a Flow! Learn how below.

Did this page help you?