What are Access Flows?

Transform your access management with access flows

When managing permissions in dynamic and security-sensitive environments, balancing productivity with protection can be a challenge:

  • Granting users standing access introduces potential security risks

  • Removing all access too early disrupts productivity

How does Apono help you execute secure access management without reducing efficiency?

Apono enables you to define tailored access flows, providing dynamic, just-in-time permissions.


Access flows

Example access flow

Access flows are automated workflows that grant specific, just-in-time permissions to resources based on need and context. With access flows, your organization has granular control over permissions and access duration. This ensures your users have the resources to complete a task while minimizing unnecessary access.

Features

Some of the key features of access flows are listed in the following table.

Component
Description

Just-Enough-Access (JEA)

Ensure users only receive permissions they need

Just-In-Time (JIT)

Grant access only when it is required, and automatically revoke access when it is no longer needed

Role- and Attribute-Based Access Control (RBAC/ABAC)

Adjust access in real-time based on user roles, group membership, and dynamic attributes such as team, shift schedule, or incident

Dynamic Access Scopes

Reuse groups of resources and permissions that automatically update as new matching resources are discovered

Customizable Approval Workflows

Tailor approval processes based on resource sensitivity and access privilege, ensuring your business runs smoothly while strengthening security where needed

Scalability & Automation

Effortlessly handle access management as the number of users, resources and environments increase within an organization

Auditable Actions

Maintain an audit log with detailed logs for compliance and security audits, including an admin audit log for access flows and a full activity log of all access requests

Security Features

Evaluate and secure access with tools like MFA, right-sizing, anomaly detection, credential rotation, and user cleanup


Understanding How Access Flows Work

Access flows integrate seamlessly with your existing infrastructure, leveraging identity attributes, cloud tags, and predefined rules to automate access. You customize each access flow to match the specific needs of your organization.

As an admin user, you define the criteria for each access flow:

  • Specify the resources and permissions included.

  • Identify users who can request access, and whether MFA is required to verify identities.

  • Set the maximum access duration.

  • Choose the automatic or self-serve approval process.

When staff members need access, they follow these steps:

  1. Select the required resources and permissions or bundle.

  2. (If required) Authenticate with MFA.

  3. Enter the desired access duration.

  4. (If required) Provide a reason for access.

  5. Submit the request.

Staff members can submit requests through the Apono Portal, CLI, Backstage, or collaboration platforms like Slack and Teams.

Once a request is submitted, access is automatically approved or rejected unless manual approval is required. Staff members are notified of access decisions immediately.

After access is granted, permissions are automatically revoked when the access duration expires.


Real-World Applications

You can create access flows for any scenario in which access and security are important. Here are several examples.

Topic
Scenario

Sensitive Data Access

Troubleshooting Critical Production Issues: Access customer data to assist with troubleshooting or resolving customer issues. Multi-approver workflows ensure access is limited to the relevant subset of data.

Dynamic Access

Adding New Resources: New cloud resources are automatically added to access flows based on tags and dynamic scopes like region, account, environment, and naming conventions. For access flows with automatic approval, approved users will immediately gain access to the newly added resources.

Offboarding

Offboarding a Staff Member: When a staff member leaves your organization, you can remove that person from a role or group in your IdP (integrated with Apono). The staff member's access will be immediately revoked from resources, and they will no longer be able to gain access through Apono.

Incident Response

Outage Investigation: During a downtime event affecting a key feature, on-call engineers can be granted immediate access to critical production environments through an expedited workflow, with all access logs captured for auditing.


Learn More About Access Flows

Apono provides two types of access flows to meet your specific needs.

Type
Description
Best Use Cases

(Recommended) Automatically grants and revokes access based on predefined rules and user context

Role-based access control (RBAC), lifecycle management

Grants access based on user requests, with time-bound and conditional approvals

Production environments, just-in-time access needs

Last updated

Was this helpful?