What are Access Flows?

Using dynamic, fine-grained Access Flows for JIT access management and control


An Access Flow is an automated, dynamic permissions workflow that allows admins to define granular-level access permissions to a set of resources that users may receive based on context, according to an approval policy and for a specified time.

In contrast to traditional, static policies, Access Flows are dynamic, using groups, tags, the exclude function and native cloud hierarchies.



Permissions defined in an Access Flow are not automatically received by the grantee.
The grantee user can request them via the integrated communication channel (Slack or Teams), CLI or through the magic link. Only then will they be received or with approval (depending on the Access Flow).

How it works

Each Access Flow has 5 basic components:

  1. Who can request the access?
  2. What can they request access to?
  3. What permissions are they allowed to request?
  4. How long should they have access for?
  5. How should access be approved (automatically or by a user or users)

Cloud resources

Apono continuously syncs with your integrations to get the most updated data about your environment. As resources are created, changed and deleted, Apono evolves with your organization.

Apono syncs:

  1. Cloud hierarchies
  2. Resources and cloud services
  3. Paths
  4. Permissions to each resource type

When you pick a scope of resources for your Access Flow, pick 1 resource type per line (add as many lines as you need):

Pick the resources you want to include in the Access Flow. You may pick specific resources or create a dynamic scope by using tags and the Exclude feature:

Dynamic Context

Apono leverages context from your cloud applications to help you build more dynamic and flexible Access Flows.

We sync data on:

  1. Organizational groups and managers from your IdP
  2. Cloud resource tags from different cloud providers
  3. Time zones, working hours, on-call schedule from incident response tools

These attributes could be fully dynamic, as Apono continuously syncs with the source of truth relevant to the attributed context.

Context can be used:

  • To set requesters (users from your IdP, group from your IdP, on-call shifts)
  • To set a scope of resources (using tags)
  • To set approvers (using users, groups and managers from your IdP, and shift members from your incident response tool)

Access Duration

The time the permissions will be valid from the time they are granted to the user until they expire and are revoked by Apono.

  • When the access duration set in the Access Flow is up, Apono automatically revoked the access.
  • Before access expires, the user will receive a notification through Slack or Teams that the granted permissions are about to be revoked.
  • If an _indefinite timeframe is chosen, the permissions will not be revoked once granted to a user unless the Admin revokes them manually - see the Activity Page to revoke Active Access._

Learn more about revoking access here.


Each Access Flow specifies if:

  • Access should be approved automatically
  • Access should be approved by users in the organization

Usually, access to sensitive/critical resources should be approved manually, by 1 or more approvers:

  • A specific user in the organization
  • A member of a group
  • A member of an on-call shift
  • The requester's manager

When handling extra-sensitive resources, high environments, strong permissions or customer tenants/data, several approvers can be required:

    1. All specified users
    2. At least one member of each group
    3. The user's manager
    4. At least one member of each shift

See it in action

Start building Access Flows here