For the complete documentation index, see llms.txt. This page is also available as Markdown.

Automatic Access Flows

Automatic access flows automatically grant and revoke access to a resource based on user context. This access flow type is best used for role-based access control (RBAC) and on-call shift baselines.

To create an automatic access flow, you must define the permitted users and available resources.

Create Access Flow page

Prerequisites

Item
Description

Cloud resources

One or more resources in a cloud platform that has been integrated with Apono If you have not already, integrate Apono with a cloud platform to control access to its resources:

Apono identities

One or more identity sources in the Apono system There are various ways to add identities to Apono:


Begin access flow creation

Follow these steps:

  1. On the Access Flows page, click Create Access Flow. The Create Access Flow page appears.

  1. Click Automatic. The Automatic fields appear below.

  2. Enter an alphanumeric, user-friendly Access flow name.


Define permitted users

Defining grantees

Follow these steps to define the permitted grantees:

  1. Click Select attribute to select an IdP attribute, such as User or Group.

  2. (Optional) Click is to select comparative logic from the menu options.

  3. Click Select value to select one or more users or groups from the menu options.

  4. Click outside of the menu to close it.

  5. (Optional) To add another attribute, click + under the last listed attribute. In the new row that appears, repeat steps 1-4.

  6. If multiple attributes have been defined select the conditional logic for the multiple attributes.


Define the resource

Defining resources

Follow these steps:

  1. Define access to specific resources.

Follow these steps to define access to specific resources:

  1. Under They will have access to, click Resources. The filters options appear.

  2. Click Basic.

  3. Filter the resources by one or more of the following filters. Resources matching the selected filters display.

lightbulb
Integration

Follow these steps to filter by integration:

  1. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

  2. (Optional) In the Search field, enter a value to filter the list of integrations.

  3. Select one or more integrations. Only the values meeting the criteria will be shown.

  4. Click outside of the menu to close it.

Resource Type

Follow these steps to filter by resource type:

  1. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

  2. (Optional) In the Search field, enter a value to filter the list of resource types.

  3. Select one or more resource types. Only the values meeting the criteria will be shown.

  4. Click outside of the menu to close it.

Resource Name

Follow these steps to filter by resource name:

  1. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

    • Contains (a*b)

    • Does not contain (!a*b)

    • Starts with (*b)

    • Ends with (a*)

  2. (Optional) In the Search field, enter a value to filter the list of resource names.

  3. (Equals, Not Equals only) Select one or more resource names. Only the values meeting the criteria will be shown.

  4. Click outside of the menu to close it.

Permission Name

Follow these steps to filter by permission name:

  1. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

    • Contains (a*b)

    • Does not contain (!a*b)

    • Starts with (*b)

    • Ends with (a*)

  2. (Optional) In the Search field, enter a value to filter the list of resource names

  3. (Equals, Not Equals only) Select one or more permission names. Only the values meeting the criteria will be shown.

  4. Click outside of the menu to close it.

Resource Path

Follow these steps to filter by resource path:

  1. Click (More filters icon) > Resource Path.

  2. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

    • Contains (a*b)

    • Does not contain (!a*b)

    • Starts with (*b)

    • Ends with (a*)

  3. (Optional) In the Search field, enter a value to filter the list of resource paths.

  4. Select one or more resource paths. Only the values meeting the criteria will be shown.

  5. Click outside of the menu to close it.

Resource Source ID

Follow these steps to filter by resource source ID (for example, account, folder, project, Azure subscription, or management group IDs):

  1. Click (More filters icon) > Resource Source ID.

  2. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

    • In (in)

    • Not (not in)

    • Contains (a*b)

    • Does not contain (!a*b)

    • Starts with (*b)

    • Ends with (a*)

  3. (Optional) In the Search field, enter a value to filter the list of IDs.

  4. Select one or more IDs. Only the values meeting the criteria will be shown.

  5. Click outside of the menu to close it.

Resource Tag

Follow these steps to filter by resource tag:

  1. Click (More filters icon) > Resource Tag.

  2. (Optional) In the Search field, enter a value to filter the list of resource names.

  3. Click the resource name.

  4. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

    • Contains (a*b)

    • Does not contain (!a*b)

    • Starts with (*b)

    • Ends with (a*)

  5. (Optional) In the Search field, enter a value to filter the list of resource tags.

  6. (Equals, Not Equals only) Select one or more resource tags. Only the values meeting the criteria will be shown.

  7. Click outside of the menu to close it.

Resource Risk Level

Follow these steps to filter by resource risk level:

  1. Click (More filters icon) > Resource Risk Level.

  2. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

  3. Select one or more resource risk levels. Only the values meeting the criteria will be shown.

  4. Click outside of the menu to close it.

Permission Risk Level

Follow these steps to filter by permission risk level:

  1. Click (More filters icon) > Permission Risk Level.

  2. From the dropdown menu, select the comparative logic:

    • Equals (=)

    • Not Equals (!=)

  3. Select one or more pemission risk level. Only the values meeting the criteria will be shown.

  4. Click outside of the menu to close it.

  1. Click Select Resources or Create Bundle to create a bundle within the flow from the filtered resources.

  1. (Optional) Click + Add Resources and repeat step 1 to include another resource.


Set access flow settings

Access flow settings
Setting
Description

Access flow labels

Identifies an access flow for streamlined organization and use

When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page.

Follow these steps:

  1. Enter a value.

  2. Press Enter on your keyboard or select an existing label from the filtered list.

Description

Access flow summary automatically generated after defining the name, grantee, and resources

To keep the description aligned with changes in the access flow, click Generate to refresh it with the latest updates:

  1. Click Generate. Apono will populate the field with a new description.

  2. (Optional) Review and manually edit the description.

  3. (Optional) Provide feedback on the description. Click (thumbs up icon) if the description was helpful. Click (thumbs down icon) and add a comment if the description was unhelpful.


Review the access flow

After defining the permitted users and resource, follow these steps to review and save an automatic access flow:

  1. Click Review and Create. The Automatic Access Flow Summary appears.

The access flow summary provides a visual overview of the relationship between the requesters and the target resource.

  1. Click Create and Grant.


Logic reference

Comparative Logic

The following tables explain the filter comparative logic.

Logic
Description

Equals (=)

Checks if values are the same

Examples:

  • Resource Type equals DynamoDB Table

  • Resource Status equals ACTIVE

After filtering by this value, you can select the exact resources to include in your filtered query.

Not Equals (!=)

Checks if values are different

Examples:

  • Integration does not equal AWS Playground

  • Resource Type does not equal S3 Bucket

After filtering by this value, you can select the exact resources to include in your filtered query.

Contains (a*b)

Checks if a value contains another value as a substring or pattern

Examples:

  • Resource Name contains playground

  • Resource Tag contains true

Does not contain (!a*b)

Checks if a value does NOT contain another value as a substring or pattern

Examples:

  • Resource Name does not contain production

  • Permission Name does not contain admin

Starts with (*b)

Checks if a value begins with a specific value or pattern

Examples:

  • Resource Name starts with aws

  • Resource Tag for a region starts with eu

Ends with (a*)

Checks if a value ends with a specific value or pattern

Examples:

  • Resource Name ends with terraform-state

  • Resource Tag for an env ends with dev

Conditional logic

Condition
Description

AND

(Default) Allows the user to request access if they meet all the selected attributes

OR

Allows the user to request access if they meet any of the selected attributes

Last updated

Was this helpful?