> For the complete documentation index, see [llms.txt](https://docs.apono.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/automatic-access-flows.md).

# Automatic Access Flows

To create an automatic access flow, you must define the permitted users and available resources.

<figure><img src="/files/4pQQ9we0JU0Uhencjt37" alt="" width="563"><figcaption><p><em>Create Access Flow page</em></p></figcaption></figure>

***

### Prerequisites

<table><thead><tr><th width="158">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Cloud resources</strong></td><td><p>One or more resources in a cloud platform that has been integrated with Apono<br><br>If you have not already, integrate Apono with a cloud platform to control access to its resources:</p><ul><li><a href="/pages/XnEdLdWUhsNqPBJJwaQU">AWS integrations</a></li><li><a href="/pages/T88Xlh1cOFcLTKsgCUeX">Azure integrations</a></li><li><a href="/pages/oAecduSreroNg11JU6uw">GCP integrations</a></li><li><a href="/pages/L6TxTfv7la9gqSsv8eFG">Kubernetes integrations</a></li></ul></td></tr><tr><td><strong>Apono identities</strong></td><td><p>One or more identity sources in the Apono system<br><br>There are various ways to add identities to Apono:</p><ul><li><a href="/pages/yEprVZO5GjeNRgpKaW2D">Integrate an identity provider</a></li><li><a href="/pages/DciEGvWQvUi5EH79mIyz#add-a-user">Invite a user manually</a></li></ul></td></tr></tbody></table>

***

### Begin access flow creation

Follow these steps:

1. On the [**Access Flows**](https://app.apono.io/access-flows) page, click **Create Access Flow**. The **Create Access Flow** page appears.

{% hint style="success" %}
If [Space Management](/docs/user-administration/space-management.md) is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.

If no space is selected, the access flow will be created at the global account level.
{% endhint %}

1. Click **Automatic**. The **Automatic** fields appear below.
2. Enter an alphanumeric, user-friendly **Access flow name**.

***

### Define permitted users

<figure><img src="/files/aOqTKcWGtmZDFRBEUneR" alt="" width="563"><figcaption><p>Defining grantees</p></figcaption></figure>

Follow these steps to define the permitted grantees:

1. Click **Select attribute** to select an IdP attribute, such as **User** or **Group**.
2. (Optional) Click **is** to select [comparative logic](#comparative-logic) from the menu options.
3. Click **Select value** to select one or more users or groups from the menu options.
4. Click outside of the menu to close it.
5. (Optional) To add another attribute, click **+** under the last listed attribute. In the new row that appears, repeat steps **1-4**.
6. If multiple attributes have been defined select the [conditional logic](#conditional-logic) for the multiple attributes.

***

### Define the resource

<figure><img src="/files/qChL7ydsQutIu5fWIfga" alt="" width="563"><figcaption><p>Defining resources</p></figcaption></figure>

Follow these steps:

1. Define access to specific resources.

{% tabs %}
{% tab title="Resources" %}
Follow these steps to define access to specific resources:

1. Under **They will have access to**, click **Resources**. The filters options appear.
2. Click **Basic**.
3. Filter the resources by one or more of the following filters. Resources matching the selected filters display.

{% hint style="success" icon="lightbulb" %}
To create complex queries, click **AQL** to build a query in the code box.

The [Apono Query Language](/docs/inventory/apono-query-language.md) enables you to extend your query capabilities beyond the standard options available with the UI.
{% endhint %}

<details>

<summary>Integration</summary>

Follow these steps to filter by integration:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
2. (Optional) In the **Search** field, enter a value to filter the list of integrations.
3. Select one or more integrations. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Type</summary>

Follow these steps to filter by resource type:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
2. (Optional) In the **Search** field, enter a value to filter the list of resource types.
3. Select one or more resource types. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Name</summary>

Follow these steps to filter by resource name:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
2. (Optional) In the **Search** field, enter a value to filter the list of resource names.
3. (**Equals**, **Not Equals** only) Select one or more resource names. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Permission Name</summary>

Follow these steps to filter by permission name:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
2. (Optional) In the **Search** field, enter a value to filter the list of resource names
3. (**Equals**, **Not Equals** only) Select one or more permission names. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Path</summary>

Follow these steps to filter by resource path:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Path**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
3. (Optional) In the **Search** field, enter a value to filter the list of resource paths.
4. Select one or more resource paths. Only the values meeting the criteria will be shown.
5. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Source ID</summary>

Follow these steps to filter by resource source ID (for example, account, folder, project, Azure subscription, or management group IDs):

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Source ID**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **In (in)**
   * **Not (not in)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
3. (Optional) In the **Search** field, enter a value to filter the list of IDs.
4. Select one or more IDs. Only the values meeting the criteria will be shown.
5. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Tag</summary>

Follow these steps to filter by resource tag:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Tag**.
2. (Optional) In the **Search** field, enter a value to filter the list of resource names.
3. Click the resource name.
4. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
5. (Optional) In the **Search** field, enter a value to filter the list of resource tags.
6. (**Equals**, **Not Equals** only) Select one or more resource tags. Only the values meeting the criteria will be shown.
7. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Risk Level</summary>

Follow these steps to filter by resource risk level:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Risk Level**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
3. Select one or more resource risk levels. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Permission Risk Level</summary>

Follow these steps to filter by permission risk level:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Permission Risk Level**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
3. Select one or more pemission risk level. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

4. Click **Select Resources** or **Create Bundle** to create a bundle within the flow from the filtered resources.
   {% endtab %}

{% tab title="Bundles" %}
{% hint style="success" %}
To ensure you do not exceed the AWS inline policy character limit, read [AWS Limitations](/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization/aws-best-practices.md) when adding bundles with AWS resources.
{% endhint %}

Follow these steps to define access to a specific bundle:

1. Under **They will have access to**, click **Bundles**. The list of bundles appears.
2. (Optional) In the search field, enter a partial or full bundle name to filter the list of bundles.
3. In the **Bundles** panel, select a bundle. The contents of the bundle logic appears in the **AQL** pane.
4. Click **Select Bundle**.
   {% endtab %}

{% tab title="Access Scope" %}
Follow these steps to define access to a specific access scope:

1. Under **They will have access to**, click **More Options > Access Scope**. The **Select access scope** menu appears.
2. (Optional) Enter keywords into the search bar to locate an access scope.
3. (Optional) Click <img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf6tv7vrABRqb_3sHCQCkp-gGx-9GBQoWehtQXr2GjwUAv4jEwSuTan9BsckFs_R3hKm1zWb86-4gCVU2AUtQspUPRizHDEtlXAPc1m_OyItAOugW6buj8hpUTBGTjgccmKsyn-tQ?key=A4EZtKjLdP_MEnXmQA_WQ-Ky" alt="" data-size="line"> (eye icon). A **Preview Access Scope** pop-up window appears displaying the contents of the access scope.
4. Select an access scope.

{% hint style="success" %}
You can also click **+ Create New Access Scope** if none of the existing access scopes meet your needs. The **Inventory** page appears. You can [create](/docs/inventory/access-scopes.md#create-an-access-scope) and [use](/docs/inventory/access-scopes.md#use-an-access-scope) the new access scope.
{% endhint %}
{% endtab %}

{% tab title="Integrations" %}
Follow these steps to define access to specific resources:

1. Under **They will have access to**, click **More Options > Integrations**. The **Select integration** menu appears.
2. (Optional) Enter keywords into the search bar to locate an integration.
3. Select an integration. The **Select resource type** panel appears.
4. Select the resource type.
5. Click **Done**. The panel closes.
6. Click **permissions**. The **Permissions** menu appears.
7. Select one or more permissions to grant the requester.
8. Click outside the window to close it.
9. (Optional) Refine the available resources:
   1. Click in the populated **to** field. A list of resources appears.
   2. Select one or more resources.

{% hint style="info" %}
By default, the user has access to **Any resources**. However, the following options allow you to define access more granularly:

* **Any resources except specific**
* **Select by name**
* **Select by tags**
  {% endhint %}
  {% endtab %}
  {% endtabs %}

2. (Optional) Click **+ Add Resources** and repeat step **1** to include another resource.

***

### Set access flow settings

<figure><img src="/files/6m3pkUBbxyjAWTe69Vd8" alt="" width="278"><figcaption><p>Access flow settings</p></figcaption></figure>

<table><thead><tr><th width="204">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Access flow labels</strong></td><td><p>Identifies an access flow for streamlined organization and use</p><p>When assigned to an access flow, labels appear in the access flow tiles on the <a href="https://app.apono.io/access-flows"><strong>Access Flows</strong></a> page.</p><p>Follow these steps:</p><ol><li>Enter a value.</li><li>Press Enter on your keyboard or select an existing label from the filtered list.</li></ol></td></tr><tr><td><strong>Description</strong></td><td><p>Access flow summary automatically generated after defining the name, grantee, and resources</p><p>To keep the description aligned with changes in the access flow, click <strong>Generate</strong> to refresh it with the latest updates:</p><ol><li>Click <strong>Generate</strong>. Apono will populate the field with a new description.</li><li>(Optional) Review and manually edit the description.</li><li>(Optional) Provide feedback on the description. Click <img src="/files/TptuLFVtcaHDY5pcWt41" alt="" data-size="line"> (thumbs up icon) if the description was helpful. Click <img src="/files/q0NSG6afsIGcZpdySmwK" alt="" data-size="line"> (thumbs down icon) and add a comment if the description was unhelpful.</li></ol></td></tr></tbody></table>

***

### Review the access flow

After defining the [permitted users](#define-permitted-users) and [resource](#define-the-resource), follow these steps to review and save an automatic access flow:

1. Click **Review and Create**. The **Automatic Access Flow Summary** appears.

{% hint style="info" %}
The access flow summary provides a visual overview of the relationship between the requesters and the target resource.
{% endhint %}

2. Click **Create and Grant**.

***

### Logic reference

#### Comparative Logic

The following tables explain the filter comparative logic.

<table><thead><tr><th width="180">Logic</th><th>Description</th></tr></thead><tbody><tr><td><strong>Equals (=)</strong></td><td><p>Checks if values are the same<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Type</strong> equals <strong>DynamoDB Table</strong></li><li><strong>Resource Status</strong> equals <strong>ACTIVE</strong></li></ul><p>After filtering by this value, you can select the exact resources to include in your filtered query.</p></td></tr><tr><td><strong>Not Equals (!=)</strong></td><td><p>Checks if values are different<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Integration</strong> does not equal <strong>AWS Playground</strong></li><li><strong>Resource Type</strong> does not equal <strong>S3 Bucket</strong></li></ul><p>After filtering by this value, you can select the exact resources to include in your filtered query.</p></td></tr><tr><td><strong>Contains (a*b)</strong></td><td><p>Checks if a value contains another value as a substring or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> contains <em>playground</em></li><li><strong>Resource Tag</strong> contains <em>true</em></li></ul></td></tr><tr><td><strong>Does not contain (!a*b)</strong></td><td><p>Checks if a value does NOT contain another value as a substring or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> does not contain <em>production</em></li><li><strong>Permission Name</strong> does not contain <em>admin</em></li></ul></td></tr><tr><td><strong>Starts with (*b)</strong></td><td><p>Checks if a value begins with a specific value or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> starts with <em>aws</em></li><li><strong>Resource Tag</strong> for a <strong>region</strong> starts with <em>eu</em></li></ul></td></tr><tr><td><strong>Ends with (a*)</strong></td><td><p>Checks if a value ends with a specific value or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> ends with <em>terraform-state</em></li><li><strong>Resource Tag</strong> for an <strong>env</strong> ends with <em>dev</em></li></ul></td></tr></tbody></table>

#### Conditional logic

<table><thead><tr><th width="179.2890625">Condition</th><th>Description</th></tr></thead><tbody><tr><td><strong>AND</strong></td><td>(Default) Allows the user to request access if they meet <strong>all</strong> the selected attributes</td></tr><tr><td><strong>OR</strong></td><td>Allows the user to request access if they meet <strong>any</strong> of the selected attributes</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/automatic-access-flows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.