Automatic Access Flows

Automatic access flows automatically grant and revoke access to a resource based on user context. This access flow type is best used for role-based access control (RBAC) and on-call shift baselines.

To create an automatic access flow, you must define the permitted users and available resources.

Create Access Flow page

Prerequisites

Item
Description

Cloud resources

One or more resources in a cloud platform that has been integrated with Apono If you have not already, integrate Apono with a cloud platform to control access to its resources:

Apono identities

One or more identity sources in the Apono system There are various ways to add identities to Apono:

Define permitted users

Defining grantees

Follow these steps to define the permitted grantees:

  1. On the Access Flows page, click Create Access Flow. The Create Access Flow page appears.

  2. Click Automatic. The Automatic fields appear below.

  3. Enter an alphanumeric, user-friendly Access Flow Name.

  4. Click Select attribute to select an IdP attribute, such as User or Group.

  5. (Optional) Click is to select conditional logic from the menu options.

Other operators include the following:

  • Is not

  • Contains

  • Does not contain

  • Starts with

  1. Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access.

  2. (Optional) Add another user.

    1. Under the last listed requestor, click +. A new row appears.

    2. Repeat steps 4-7.

    3. Select the conditional logic for the multiple requestors.

      Condition
      Description

      AND

      (Default) Allows the user to request access if they meet all the attributes of the user group

      OR

      Allows the user to request access if they meet any of the attributes of the user group

Define the resource

Defining resources

You can define access to specific resources in an Apono integration, bundle, or access scope.

To ensure you do not exceed the AWS inline policy character limit, read AWS Limitations when adding AWS resources.

Follow these steps to define access to specific resources:

  1. Under They will have access to, click Select target > Integrations.

  2. Select an integration. The Select resource type panel appears.

  3. Select the resource type.

  4. Click Done. The panel closes.

  5. Click permissions. The Permissions menu appears.

  6. Select one or more permissions to grant the requester.

  7. (Optional) Refine the available resources:

    1. Click in the populated to field. A list of resources appears.

    2. Select one or several resources.

By default, the user has access to Any resources. However, the following options allow you to define access more granularly:

  • Any resources except specific

  • Select by name

  • Select by tags

  1. (Optional) Add another target:

    1. Click + at the end of the row. A new target row appears.

    2. Repeat steps 1-7 or add a bundle or access scope.

Add a label

Settings section

Follow this step to add an access flow label:

  1. In the Access flow labels, enter a value and press Enter OR select an existing label.

A label identifies an access flow for streamlined organization and use. When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page.

Review the access flow

After defining the permitted users and resource, follow these steps to review and save an automatic access flow:

  1. Click Review and Create. The Automatic Access Flow Summary appears.

The access flow summary provides a visual overview of the relationship between the requesters and the target resource.

  1. Click Create and Grant.

PreviousSelf Serve Access FlowsNextAccess Duration

Last updated

Was this helpful?