# Automatic Access Flows To create an automatic access flow, you must define the permitted users and available resources.

*** ### Prerequisites

Item	Description
Cloud resources	One or more resources in a cloud platform that has been integrated with Apono If you have not already, integrate Apono with a cloud platform to control access to its resources: AWS integrations Azure integrations GCP integrations Kubernetes integrations
Apono identities	One or more identity sources in the Apono system There are various ways to add identities to Apono: Integrate an identity provider Invite a user manually

Item

Description

Cloud resources

One or more resources in a cloud platform that has been integrated with Apono

If you have not already, integrate Apono with a cloud platform to control access to its resources:

Apono identities

One or more identity sources in the Apono system

There are various ways to add identities to Apono:

*** ### Define permitted users

Follow these steps to define the permitted grantees: 1. On the [**Access Flows**](https://app.apono.io/access-flows) page, click **Create Access Flow**. The **Create Access Flow** page appears. {% hint style="success" %} If [Space Management](https://docs.apono.io/docs/user-administration/space-management) is enabled, select a space from the space selector at the top of the page to create a space-specific access flow. If no space is selected, the access flow will be created at the global account level. {% endhint %} 1. Click **Automatic**. The **Automatic** fields appear below. 2. Enter an alphanumeric, user-friendly **Access flow name**. 3. Click **Select attribute** to select an IdP attribute, such as **User** or **Group**. 4. (Optional) Click **is** to select conditional logic from the menu options. {% hint style="info" %} Other operators include the following: * **Is not** * **Contains** * **Does not contain** * **Starts with** {% endhint %} 7. Click **Select value** to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access. 8. (Optional) Add another user. 1. Under the last listed requestor, click **+**. A new row appears. 2. Repeat steps **3-7**. 3. Select the conditional logic for the multiple requestors.

Condition	Description
AND	(Default) Allows the user to request access if they meet all the attributes of the user group
OR	Allows the user to request access if they meet any of the attributes of the user group

*** ### Define the resource

You can define access to specific resources in an Apono integration, bundle, or access scope. {% hint style="info" %} If you are creating an access flow within a space, **only space-specific access scopes or bundles** can be used to define the access flow’s resources. {% endhint %} {% tabs %} {% tab title="Integrations" %} {% hint style="success" %} To ensure you do not exceed the AWS inline policy character limit, read [AWS Limitations](https://docs.apono.io/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization/aws-best-practices) when adding AWS resources. {% endhint %} Follow these steps to define access to specific resources: 1. Under **They will have access to**, click **Select target > Integrations**. 2. Select an integration. The **Select resource type** panel appears. 3. Select the resource type. 4. Click **Done**. The panel closes. 5. Click **permissions**. The **Permissions** menu appears. 6. Select one or more permissions to grant the requester. 7. (Optional) Refine the available resources: 1. Click in the populated **to** field. A list of resources appears. 2. Select one or several resources. {% hint style="info" %} By default, the user has access to **Any resources**. However, the following options allow you to define access more granularly: * **Any resources except specific** * **Select by name** * **Select by tags** {% endhint %} 8. (Optional) Add another target: 1. Click **+** at the end of the row. A new target row appears. 2. Repeat steps **1-7** or add a [bundle](#bundles) or [access scope](#access-scope). {% endtab %} {% tab title="Bundles" %} {% hint style="success" %} To ensure you do not exceed the AWS inline policy character limit, read [AWS Limitations](https://docs.apono.io/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization/aws-best-practices) when adding bundles with AWS resources. {% endhint %} Follow these steps to define access to a specific bundle: 1. Under **They will have access to**, click **Select target > Bundles**. 2. Select a bundle. 3. (Optional) To add another bundle, click **+**. A new target row appears. 4. Repeat steps **1-2** or add an [integration](#integrations) or [access scope](#access-scope). {% endtab %} {% tab title="Access Scope" %} Follow these steps to define access to a specific access scope: 1. Under **They will have access to**, click **Select target > Access Scope**. The **Select access scope** menu appears. {% hint style="success" %} You may enter keywords into the search bar to locate an access scope. {% endhint %} 2. (Optional) Click

(eye icon) to preview the contents of the access scope in a popup window. 3. Select an access scope. {% hint style="success" %} You can also click **+ Create New Access Scope** if none of the existing access scopes meet your needs. The **Inventory** page appears. You can [create](https://docs.apono.io/docs/inventory/access-scopes#create-an-access-scope) and [use](https://docs.apono.io/docs/inventory/access-scopes#use-an-access-scope) the new access scope. {% endhint %} 3. (Optional) To add another access scope, click **+**. A new target row appears. 4. Repeat steps **1-3** or add an [integration](#integrations) or [bundle](#bundles). {% endtab %} {% endtabs %} *** ### Set access flow settings

Setting	Description
Access flow labels	Identifies an access flow for streamlined organization and use When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page. Follow these steps: Enter a value. Press Enter on your keyboard or select an existing label from the filtered list.
Description	Access flow summary automatically generated after defining the name, grantee, and resources To keep the description aligned with changes in the access flow, click Generate to refresh it with the latest updates: Click Generate. Apono will populate the field with a new description. (Optional) Review and manually edit the description. (Optional) Provide feedback on the description. Click (thumbs up icon) if the description was helpful. Click (thumbs down icon) and add a comment if the description was unhelpful.

Setting

Description

Access flow labels

Identifies an access flow for streamlined organization and use

When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page.

Follow these steps:

Enter a value.
Press Enter on your keyboard or select an existing label from the filtered list.

Description

Access flow summary automatically generated after defining the name, grantee, and resources

To keep the description aligned with changes in the access flow, click Generate to refresh it with the latest updates:

Click Generate. Apono will populate the field with a new description.
(Optional) Review and manually edit the description.
(Optional) Provide feedback on the description. Click (thumbs up icon) if the description was helpful. Click (thumbs down icon) and add a comment if the description was unhelpful.

*** ### Review the access flow After defining the [permitted users](#define-permitted-users) and [resource](#define-the-resource), follow these steps to review and save an automatic access flow: 1. Click **Review and Create**. The **Automatic Access Flow Summary** appears. {% hint style="info" %} The access flow summary provides a visual overview of the relationship between the requesters and the target resource. {% endhint %} 2. Click **Create and Grant**.