What are Access Flows?
Learn about access flows for JIT access management and control
Last updated
Learn about access flows for JIT access management and control
Last updated
An access flow is an automated, dynamic permissions workflow that allows admins to define context-based permissions for resources, according to an approval policy and for a specified time.
In contrast to traditional static policies, access flows are dynamic, using groups, tags, exclusion settings, and native cloud hierarchies.
Permissions defined in an access flow are not automatically granted to the user.\
Users can request permissions through Slack, Teams, CLI, or the Apono Web Portal. Access is only granted upon approval as specified in the access flow.
Access flows consist of four components that determine how access is granted and managed within your system.
Resource and Integration Owners
Individual roles or groups responsible for approving and rejecting access to a resource or integration
Permissions
Level of access that requests can receive
Setting clear permissions helps maintain security by preventing excessive access and ensuring that users only receive the rights they need.
Permissions can range from read-only access to full administrative privileges, depending on the requester’s role and the resource.
Access Duration
Period during which access is open to requestors
Approval Type
Process through which access is granted
The approval type ensures that an efficient and secure access check is in place.
Apono continuously syncs with your integrations to get updated data about your environment. As resources are created, changed and deleted, Apono evolves with your organization.
Apono syncs all the following cloud resources:
Cloud hierarchies
Resources and cloud services
Paths
Permissions to each resource type
Apono leverages context from your cloud applications to help you build dynamic and flexible access flows.
To gain context, Apono syncs data from:
Organizational groups and managers in your identity provider (IdP)
Cloud resource tags from different cloud providers
Time zones, working hours, and on-call schedules from incident response tools
These attributes remain fully dynamic, as Apono continuously updates them from the original source.
You can use dynamic context in your access flow to define the following components:
Requesters (based on your IdP users or groups and on-call shifts)
Scope of resources (based on cloud tags)
Approvers (based on users, groups and managers from your IdP, and shift members from your incident response tool)
Your access flow specifies whether access requests should be approved automatically by Apono or manually by users in your organization.
Typically, access to sensitive resources should be approved manually by one or more of the following parties:
An organization admin
A member of an on-call shift
Another member of the requested group
When handling extremely sensitive resources, permissions, and data, you can require several approvers:
All specified users
The requester's manager
A minimum of one member of each group
A minimum of one member of each on-call shift
For more information, see .
For more information, see .
Apono provides both and workflows. Automatic access flows auto-approve requests based on predefined rules, while self-serve access flows require approval from a manager or administrator.