LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
    • S3 Storage
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • RabbitMQ
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
    • Secret Management
      • 1Password
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
      • Reviewing historical requests with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page

Was this helpful?

Export as PDF
  1. ACCESS FLOWS
  2. Access Flows

What are Access Flows?

Learn about access flows for JIT access management and control

PreviousAccess FlowsNextCreate Access Flows

Last updated 5 months ago

Was this helpful?

An access flow is an automated, that allows admins to define context-based permissions for resources, according to an approval policy and for a specified time.

In contrast to traditional static policies, access flows are dynamic, using groups, tags, exclusion settings, and native cloud hierarchies.

Permissions defined in an access flow are not automatically granted to the user.\

Users can request permissions through , , , or the . Access is only granted upon approval as specified in the access flow.


How access flows work

Access flows consist of four components that determine how access is granted and managed within your system.

Component
Description

Resource and Integration Owners

Individual roles or groups responsible for approving and rejecting access to a resource or integration

Permissions

Level of access that requests can receive

Setting clear permissions helps maintain security by preventing excessive access and ensuring that users only receive the rights they need.

Permissions can range from read-only access to full administrative privileges, depending on the requester’s role and the resource.

Access Duration

Period during which access is open to requestors

Approval Type

Process through which access is granted

The approval type ensures that an efficient and secure access check is in place.

Cloud resources

Apono continuously syncs with your integrations to get updated data about your environment. As resources are created, changed and deleted, Apono evolves with your organization.

Apono syncs all the following cloud resources:

  • Cloud hierarchies

  • Resources and cloud services

  • Paths

  • Permissions to each resource type

Dynamic context

Apono leverages context from your cloud applications to help you build dynamic and flexible access flows.

To gain context, Apono syncs data from:

  • Organizational groups and managers in your identity provider (IdP)

  • Cloud resource tags from different cloud providers

  • Time zones, working hours, and on-call schedules from incident response tools

These attributes remain fully dynamic, as Apono continuously updates them from the original source.

You can use dynamic context in your access flow to define the following components:

  • Requesters (based on your IdP users or groups and on-call shifts)

  • Scope of resources (based on cloud tags)

  • Approvers (based on users, groups and managers from your IdP, and shift members from your incident response tool)

Approvers

Typically, access to sensitive resources should be approved manually by one or more of the following parties:

  • An organization admin

  • A member of an on-call shift

When handling extremely sensitive resources, permissions, and data, you can require several approvers:

  • All specified users

  • The requester's manager

  • A minimum of one member of each group

  • A minimum of one member of each on-call shift

For more information, see .

For more information, see .

Apono provides both and workflows. Automatic access flows auto-approve requests based on predefined rules, while self-serve access flows require approval from a manager or administrator.

Your access flow specifies whether access requests should be approved by Apono or by users in your organization.

Another member of the requested

The

The

automatically
manually
resource or integration owner
requester's manager
Resource and Integrations Owners
Access Duration
automatic
self-serve
dynamic permissions workflow
Slack
Teams
CLI
Apono Web Portal
group
Example access flow