The Sym State Machine

The sym:approval template has several steps, each of which has a default implementation. You can override these implementations by implementing Workflow Handlers.


All Sym Approval Flows follow the same series of steps, any of which can be altered or overridden via Hooks and Reducers in the Python SDK.

The five steps of a Sym Approval flow are:

  • Prompt: a user sees all available Sym Access Target
  • Request: a user selects a Target and their request is routed for Approval
  • Approve/Deny: the Request is resolved, either by human action or an SDK rule
  • Escalate: If approved, the user's access is escalated in the Target system
  • Deescalate: After a Duration, the user's access is deescalated

All human steps take place in Slack, and the escalate/deescalate cycle is handled via Sym platform integrations.

Step details


The prompt event fires when a user indicates their desire to request access to a resource (e.g. by using the /sym request Slack command). It reads the set of Targets from the Strategy specified in your Terraform.


The request event fires when a user has selected a Target to request access to, completing the necessary fields.

It reads the set of approvers to present the request to from the get_approvers reducer.

It also reads the expiration time for this request from the get_timeout reducer, and schedules an expire event accordingly.


The approve event fires when a user's request to access a given Target has been approved.


The deny event fires when a user has been denied access to a given Target.


The escalate event fires when a user has successfully been granted access to a Target, via a Strategy.


The deescalate event fires when a user's access to a Target has successfully been revoked.

Did this page help you?