> For the complete documentation index, see [llms.txt](https://docs.apono.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows.md).

# Self Serve Access Flows

Self serve access flows grant access to a resource based on a user request for a defined time period.

This access flow type is best used for sensitive or highly regulated resources, such as access to production. It also suits just-in-time (JIT) or break-glass access cases.

To create a self-serve access flow, you must define the permitted requestors, available resources, and approvers.

<figure><img src="/files/hWyfTEyKsp9ZfwqZ6Y0m" alt="" width="563"><figcaption><p><em>Create Access Flow page</em></p></figcaption></figure>

***

### Prerequisites

<table><thead><tr><th width="153">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>Cloud resources</strong></td><td><p>One or more resources in a cloud platform that has been integrated with Apono</p><p>If you have not already, integrate Apono with a cloud platform to control access to its resources:</p><ul><li><a href="/pages/XnEdLdWUhsNqPBJJwaQU">AWS integrations</a></li><li><a href="/pages/T88Xlh1cOFcLTKsgCUeX">Azure integrations</a></li><li><a href="/pages/oAecduSreroNg11JU6uw">GCP integrations</a></li><li><a href="/pages/L6TxTfv7la9gqSsv8eFG">Kubernetes integrations</a></li></ul></td></tr><tr><td><strong>Apono identities</strong></td><td><p>One or more identity sources in the Apono system<br><br>There are various ways to add identities to Apono:</p><ul><li><a href="/pages/yEprVZO5GjeNRgpKaW2D">Integrate an identity provider</a></li><li><a href="/pages/DciEGvWQvUi5EH79mIyz#add-a-user">Invite a user manually</a></li></ul></td></tr></tbody></table>

***

### Begin access flow creation

<figure><img src="/files/PI5iF4zZSR1iGWANsQld" alt="" width="375"><figcaption><p>Top section of the Create Access Flow page</p></figcaption></figure>

Follow these steps:

1. On the [**Access Flows**](https://app.apono.io/access-flows) page, click **Create Access Flow**. The **Create Access Flow** page appears.

{% hint style="success" %}
If [Space Management](/docs/user-administration/space-management.md) is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.

If no space is selected, the access flow will be created at the global account level.
{% endhint %}

2. Click **Self Serve**. The **Self Serve** fields appear below.
3. Enter a user-friendly **Access flow name**.

***

### Define permitted requestors

<figure><img src="/files/97RbDIkzCyvnCCj1FAen" alt="" width="375"><figcaption><p>Defining permitted requestors</p></figcaption></figure>

Follow these steps:

1. Click **When**. A settings window appears to set the access period.
2. Set the access period.

<details>

<summary><strong>Always</strong></summary>

(Default) Applies to the requester conditions at all times

Follow these steps:

1. Select **Always**.
2. Click outside of the window to close it.

</details>

<details>

<summary><strong>Only on</strong></summary>

Applies to the requester conditions during a specific time frame

Follow these steps:

1. Select **Only on**.
2. Select one or more days of the week.
3. In the **From** field, select a start time from the dropdown menu.
4. In the **to** field, select an end time from the dropdown menu.
5. Select a timezone from the dropdown menu.
6. Click outside of the window to close it.

</details>

3. Define the permitted requestor:
   1. Click **Select attribute** to select an attribute, such as **User** or **Group**.
   2. (Optional) Click **is** to select [comparative logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.iwbeu4xl4s3f) from the menu options.
   3. Click **Select value** to select one or more users or groups from the menu options.
   4. Click outside of the menu to close it.
   5. (Optional) To add another attribute, click **+** under the last listed attribute. In the new row that appears, repeat steps **3a-d**.
4. If multiple attributes have been defined in step **3**, select the [conditional logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.fxj17ni1cpgt) for the multiple attributes.

***

### Request access on behalf of others

{% hint style="info" %}
This setting allows requesters to request access for others in common business situations:

* **New hire onboarding**: Prepare access before a new employee’s first day so she or he can start work immediately.
* **Team enablement**: Empower managers to request access for members of their teams.
* **Contractor access**: Grant external users narrow, time-bound access to specific resources.
* **Incident response**: Let team members request access for the right responder without waiting for an Apono admin.
  {% endhint %}

Follow these steps:

1. Click **Themselves**. An options menu appears.

<table><thead><tr><th width="206.8125">Option</th><th>Description</th></tr></thead><tbody><tr><td><strong>Themselves</strong></td><td>(Default) Allows the requestor to only request resource access for himself or herself</td></tr><tr><td><strong>Direct Reports</strong></td><td>Allows the requestor, identified as a manager in the organization’s identity provider (IdP), to request resource access solely for individuals formally assigned as direct reports in the IdP</td></tr><tr><td><strong>Others (specify)</strong></td><td>Allows the requestor to only request resource access on behalf of others (grantees)</td></tr></tbody></table>

3. Click outside of the options menu to close it.
4. (Others (specify)) Define those for whom the requestor can request access:
   1. Click **Select attribute** to select an attribute, such as **User** or **Group**.
   2. (Optional) Click **is** to select [comparative logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.iwbeu4xl4s3f) from the menu options.
   3. Click **Select value** to select one or more users or groups from the menu options.
   4. Click outside of the value menu to close it.
   5. (Optional) To add another attribute, click **+** under the last listed attribute. In the new row that appears, repeat steps **4a-d**.
   6. Select the [conditional logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.fxj17ni1cpgt) for the multiple attributes.

***

### Define the resource

<figure><img src="/files/d92X4ogIkq5oLCje0Pra" alt="" width="375"><figcaption><p>Defining resources</p></figcaption></figure>

Follow these steps:

1. Define access to specific resources.

{% tabs %}
{% tab title="Resources" %}
Follow these steps to define access to specific resources:

1. Under **Request access to**, click **Resources**. The filters options appear.
2. Click **Basic**.
3. Filter the resources by one or more of the following filters. Resources matching the selected filters display.

{% hint style="success" icon="lightbulb" %}
To create complex queries, click **AQL** to build a query in the code box.

The [Apono Query Language](/docs/inventory/apono-query-language.md) enables you to extend your query capabilities beyond the standard options available with the UI.
{% endhint %}

<details>

<summary>Integration</summary>

Follow these steps to filter by integration:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
2. (Optional) In the **Search** field, enter a value to filter the list of integrations.
3. Select one or more integrations. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Type</summary>

Follow these steps to filter by resource type:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
2. (Optional) In the **Search** field, enter a value to filter the list of resource types.
3. Select one or more resource types. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Name</summary>

Follow these steps to filter by resource name:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
2. (Optional) In the **Search** field, enter a value to filter the list of resource names.
3. (**Equals**, **Not Equals** only) Select one or more resource names. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Permission Name</summary>

Follow these steps to filter by permission name:

1. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
2. (Optional) In the **Search** field, enter a value to filter the list of resource names
3. (**Equals**, **Not Equals** only) Select one or more permission names. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Path</summary>

Follow these steps to filter by resource path:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Path**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
3. (Optional) In the **Search** field, enter a value to filter the list of resource paths.
4. Select one or more resource paths. Only the values meeting the criteria will be shown.
5. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Source ID</summary>

Follow these steps to filter by resource source ID (for example, account, folder, project, Azure subscription, or management group IDs):

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Source ID**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **In (in)**
   * **Not (not in)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
3. (Optional) In the **Search** field, enter a value to filter the list of IDs.
4. Select one or more IDs. Only the values meeting the criteria will be shown.
5. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Tag</summary>

Follow these steps to filter by resource tag:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Tag**.
2. (Optional) In the **Search** field, enter a value to filter the list of resource names.
3. Click the resource name.
4. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
   * **Contains (a\*b)**
   * **Does not contain (!a\*b)**
   * **Starts with (\*b)**
   * **Ends with (a\*)**
5. (Optional) In the **Search** field, enter a value to filter the list of resource tags.
6. (**Equals**, **Not Equals** only) Select one or more resource tags. Only the values meeting the criteria will be shown.
7. Click outside of the menu to close it.

</details>

<details>

<summary>Resource Risk Level</summary>

Follow these steps to filter by resource risk level:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Resource Risk Level**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
3. Select one or more resource risk levels. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

<details>

<summary>Permission Risk Level</summary>

Follow these steps to filter by permission risk level:

1. Click <img src="/files/r9WJSMPLEJ28VwJgRRA2" alt="" data-size="line"> (More filters icon) > **Permission Risk Level**.
2. From the dropdown menu, select the [comparative logic](#comparative-logic):
   * **Equals (=)**
   * **Not Equals (!=)**
3. Select one or more pemission risk level. Only the values meeting the criteria will be shown.
4. Click outside of the menu to close it.

</details>

4. Click **Select Resources** or **Create Bundle** to create a bundle within the flow from the filtered resources.
   {% endtab %}

{% tab title="Bundles" %}
{% hint style="success" %}
To ensure you do not exceed the AWS inline policy character limit, read [AWS Limitations](/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization/aws-best-practices.md) when adding bundles with AWS resources.
{% endhint %}

Follow these steps to define access to a specific bundle:

1. Under **Request access to**, click **Bundles**. The list of bundles appears.
2. (Optional) In the search field, enter a partial or full bundle name to filter the list of bundles.
3. In the **Bundle** panel, select a bundle. The contents of the bundle logic appears in the **AQL** pane.
4. Click **Use Bundle**.
   {% endtab %}

{% tab title="Access Scope" %}
Follow these steps to define access to a specific access scope:

1. Under **Request access to**, click **More Options > Access Scope**. The **Select access scope** menu appears.
2. (Optional) Enter keywords into the search bar to locate an access scope.
3. (Optional) Click <img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXf6tv7vrABRqb_3sHCQCkp-gGx-9GBQoWehtQXr2GjwUAv4jEwSuTan9BsckFs_R3hKm1zWb86-4gCVU2AUtQspUPRizHDEtlXAPc1m_OyItAOugW6buj8hpUTBGTjgccmKsyn-tQ?key=A4EZtKjLdP_MEnXmQA_WQ-Ky" alt="" data-size="line"> (eye icon). A **Preview Access Scope** pop-up window appears displaying the contents of the access scope.
4. Select an access scope.

{% hint style="success" %}
You can also click **+ Create New Access Scope** if none of the existing access scopes meet your needs. The **Inventory** page appears. You can [create](/docs/inventory/access-scopes.md#create-an-access-scope) and [use](/docs/inventory/access-scopes.md#use-an-access-scope) the new access scope.
{% endhint %}
{% endtab %}

{% tab title="Integrations" %}
Follow these steps to define access to specific resources:

1. Under **Request access to**, click **More Options > Integrations**. The **Select integration** menu appears.
2. (Optional) Enter keywords into the search bar to locate an integration.
3. Select an integration. The **Select resource type** panel appears.
4. Select the resource type.
5. Click **Done**. The panel closes.
6. Click **permissions**. The **Permissions** menu appears.
7. Select one or more permissions to grant the requester.
8. Click outside the window to close it.
9. (Optional) Refine the available resources:
   1. Click in the populated **to** field. A list of resources appears.
   2. Select one or several resources.

{% hint style="info" %}
By default, the user has access to **Any resources**. However, the following options allow you to define access more granularly:

* **Any resources except specific**
* **Select by name**
* **Select by tags**
  {% endhint %}
  {% endtab %}
  {% endtabs %}

2. (Optional) Click **+ Select Resources** and repeat step **1** to include another resource.

***

### Set access duration and approval process

{% hint style="success" %}
Learn about [access duration and best practices](/docs/access-flows/creating-access-flows-in-apono/access-duration.md).
{% endhint %}

<figure><img src="/files/DT5i3dC59jTmL4RZQGsI" alt="" width="375"><figcaption><p>Access duration and approval process</p></figcaption></figure>

Follow these steps:

1. Click in the populated **Grant for** field. The granting period and extend duration options appear.
2. Set the granting period.

<details>

<summary><strong>Custom</strong></summary>

(Default) Grants the requester access for a custom period

The default granting period is set to *1 hour*.

Follow these steps to grant access for a custom period:

1. Select the first radio button.
2. From the right dropdown menu, select a time unit.
3. In the first field, enter a numerical value for the time unit.
4. In the second field, select a time unit from the dropdown menu.

</details>

<details>

<summary><strong>Indefinite</strong></summary>

Grants the requester access indefinitely

Follow this step to set this period:

1. Click **Indefinite**.

</details>

3. Enable and define extended access duration.

<details>

<summary><strong>Allow Extend Duration</strong></summary>

Allows requestors to extend active access for a limited duration without submitting a new request

Follow these steps:

1. Click the toggle on. When enabled, the toggle turns green.
2. Click in the **Allow extending request up to** field to choose the number of times the request can be extended, up to a maximum of *10*.
3. Click in the **Extend for** fields to select the duration of each extension, up to the maximum access duration set for the access flow. The default duration is **30 minutes** per extension.

Credential rotation, user cleanup, MFA, and approval requirements apply only to new access requests. **Extending access preserves the existing session, user, and credentials**.

</details>

4. Click **Automatic** to select the approval type.

<details>

<summary><strong>Automatic</strong></summary>

Automatically grants the requester access for the specified period

**Automatic** approval is the default setting.

</details>

<details>

<summary><strong>Approval of</strong></summary>

Grants the requester access for the specified period upon the approval of certain parties

This approval type is ideal for production environments and highly sensitive resources.

Follow these steps to set up **Approval of**:

1. Click the populated **with** field. The approval type menu appears.
2. Click **Approval of**. The **Approval of** fields appear.
3. Click **Select attribute** to select an IdP attribute.

{% hint style="info" %}
If you have connected an [incident response integration](/docs/additional-integrations/incident-response-integrations/opsgenie.md) with Apono, the attribute can also be an on-call shift.
{% endhint %}

4. (Optional) Click **is** to select [comparative logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.iwbeu4xl4s3f) from the menu options.
5. Click **Select value** to select one or more users or groups from the menu options.
6. Click outside of the value menu to close it.
7. (Optional) To add another attribute to the current approver, click **+** under the last listed attribute. In the new row that appears, repeat steps **3-6**.
8. Select the [conditional logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.fxj17ni1cpgt) for the multiple attributes.
9. (Optional) To add another approver, click **+** under the last approver. In the new approver that appears, repeat steps **3-8**.
10. Select the conditional logic for the multiple groups of approvers.

<table><thead><tr><th width="163.7109375">Condition</th><th>Description</th></tr></thead><tbody><tr><td><strong>ANY OF</strong></td><td>If you have multiple approval groups, <strong>ANY OF</strong> only requires one approver belonging to any group to approve access.</td></tr><tr><td><strong>ALL OF</strong></td><td>If you have multiple approval groups, <strong>ALL OF</strong> requires one approver per group to approve access.</td></tr></tbody></table>

11. (Optional) [Set the approval escalation](#set-approval-escalation).

</details>

#### Set approval escalation

{% hint style="success" icon="lightbulb" %}
Learn about [approval escalation](/docs/access-flows/creating-access-flows-in-apono/approval-escalation.md).
{% endhint %}

<figure><img src="/files/LgZokfSkEMIlc2bkvhQG" alt="" width="375"><figcaption><p>Approval escalation settings</p></figcaption></figure>

Follow these steps to enable approval escalation:

1. Click **+ Add Escalation Policy**. The setting appears.

{% hint style="info" %}
For this option to appear, [custom approval (Approval of)](#approval-of) must be configured for the access flow.
{% endhint %}

2. For the **Escalate every** rule, set the duration that must elapse before escalating to the next tier:
   1. From the **Escalate every** dropdown menu (the second field), select a time unit.
   2. In the first field, enter a numerical value for the time unit.
3. Under **Escalation Tier #1**, click **Select attribute** to select an IdP attribute, such as **User**, **Group**, or **Owner**.
4. (Optional) Click **is** to select [comparative logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.iwbeu4xl4s3f) from the menu options.
5. Click **Select value** to select one or multiple users or groups from the menu options.
6. Click outside of the value menu to close it.
7. (Optional) To add another attribute, click **+** under the last listed attribute. In the new row that appears, repeat steps **3-6**.
8. Select the [conditional logic](https://docs.google.com/document/d/1sQ6tKRqyydWo7CdLYPH4IuoRTQRZpq33BLYNUjAo5UI/edit?tab=t.i0cmhmk0g83h#heading=h.fxj17ni1cpgt) for the multiple attributes.
9. (Optional) To add another escalation tier, repeat steps **3-8**.

***

### Logic reference

#### Comparative Logic

The following tables explain the filter comparative logic.

**Requestors and grantees**

<table><thead><tr><th width="180">Logic</th><th>Description</th></tr></thead><tbody><tr><td><strong>Is</strong></td><td><p>Checks if values are the same<br></p><p><strong>Examples</strong>:</p><ul><li>User is Jane.Doe@user.com</li><li>Group is Admin_Group</li></ul></td></tr><tr><td><strong>Is not</strong></td><td><p>Checks if values are different<br></p><p><strong>Examples</strong>:</p><ul><li>User is not Jane.Doe@user.com</li><li>Group is not Admin_Group</li></ul></td></tr><tr><td><strong>Does not contain</strong></td><td><p>Checks if a value does NOT contain another value as a substring or pattern<br></p><p><strong>Examples</strong>:</p><ul><li>User does not contain Jane.Doe@user.com</li><li>Group does not contain Admin_Group</li></ul></td></tr><tr><td><strong>Starts with</strong></td><td><p>Checks if a value begins with a specific value or pattern<br></p><p><strong>Examples</strong>:</p><ul><li>User starts with ja</li><li>Group starts with ad</li></ul></td></tr></tbody></table>

**Resources**

<table><thead><tr><th width="180">Logic</th><th>Description</th></tr></thead><tbody><tr><td><strong>Equals (=)</strong></td><td><p>Checks if values are the same<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Type</strong> equals <strong>DynamoDB Table</strong></li><li><strong>Resource Status</strong> equals <strong>ACTIVE</strong></li></ul><p>After filtering by this value, you can select the exact resources to include in your filtered query.</p></td></tr><tr><td><strong>Not Equals (!=)</strong></td><td><p>Checks if values are different<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Integration</strong> does not equal <strong>AWS Playground</strong></li><li><strong>Resource Type</strong> does not equal <strong>S3 Bucket</strong></li></ul><p>After filtering by this value, you can select the exact resources to include in your filtered query.</p></td></tr><tr><td><strong>Contains (a*b)</strong></td><td><p>Checks if a value contains another value as a substring or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> contains <em>playground</em></li><li><strong>Resource Tag</strong> contains <em>true</em></li></ul></td></tr><tr><td><strong>Does not contain (!a*b)</strong></td><td><p>Checks if a value does NOT contain another value as a substring or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> does not contain <em>production</em></li><li><strong>Permission Name</strong> does not contain <em>admin</em></li></ul></td></tr><tr><td><strong>Starts with (*b)</strong></td><td><p>Checks if a value begins with a specific value or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> starts with <em>aws</em></li><li><strong>Resource Tag</strong> for a <strong>region</strong> starts with <em>eu</em></li></ul></td></tr><tr><td><strong>Ends with (a*)</strong></td><td><p>Checks if a value ends with a specific value or pattern<br></p><p><strong>Examples</strong>:</p><ul><li><strong>Resource Name</strong> ends with <em>terraform-state</em></li><li><strong>Resource Tag</strong> for an <strong>env</strong> ends with <em>dev</em></li></ul></td></tr></tbody></table>

#### Conditional logic

<table><thead><tr><th width="179.2890625">Condition</th><th>Description</th></tr></thead><tbody><tr><td><strong>AND</strong></td><td>(Default) Allows the user to request access if they meet <strong>all</strong> the selected attributes</td></tr><tr><td><strong>OR</strong></td><td>Allows the user to request access if they meet <strong>any</strong> of the selected attributes</td></tr></tbody></table>

***

### Enable IGA settings

Apono allows administrators to apply various settings to enhance the security of access flows.

{% hint style="info" %}
All admin settings are optional.
{% endhint %}

<figure><img src="/files/Vih9unYtLUiQCABcXBO1" alt="" width="319"><figcaption><p>Access flow settings</p></figcaption></figure>

<table><thead><tr><th width="204">Setting</th><th>Description</th></tr></thead><tbody><tr><td><strong>Access flow labels</strong></td><td><p>Identifies an access flow for streamlined organization and use</p><p>When assigned to an access flow, labels appear in the access flow tiles on the <a href="https://app.apono.io/access-flows"><strong>Access Flows</strong></a> page.</p><p>Follow these steps:</p><ol><li>Enter a value.</li><li>Press Enter on your keyboard or select an existing label from the filtered list.</li></ol></td></tr><tr><td><strong>Require MFA</strong></td><td><p>Requires grantees to complete multi-factor authentication to complete a request</p><p>We <strong>strongly recommend</strong> enabling MFA for access requests to sensitive resources.</p><p>The grantee will need to <a href="/pages/Z119PY6NuEBFIClh2ROX#enable-mfa-for-a-requester-account">enable multi-factor authentication</a>.<br></p><p>Follow this step:</p><ol><li>Click the toggle. When enabled, the toggle turns green.</li></ol></td></tr><tr><td><strong>Require justification</strong></td><td><p>Requires grantees to enter a justification for their request<br></p><p>Follow this step:</p><ol><li>Click the toggle. When enabled, the toggle turns green.</li></ol></td></tr><tr><td><strong>Require Approver Reason</strong></td><td><p>Requires approvers to provide a reason (limited to 124 characters) when approving or rejecting a request</p><p>If disabled, providing a reason is optional.<br></p><p>Follow this step:</p><ol><li>Click the toggle. When enabled, the toggle turns green.</li></ol></td></tr><tr><td><strong>Requester and grantee cannot self approve</strong></td><td><p>Prevents users from approving their own access requests</p><p>If the user is a member of an approval group, they will <strong>not</strong> receive a notification to approve the request.<br></p><p>Follow this step:</p><ol><li>Click the toggle. When enabled, the toggle turns green.</li></ol></td></tr><tr><td><strong>Description</strong></td><td><p>Access flow summary automatically generated after defining the name, requestors, and resources</p><p>To keep the description aligned with changes in the access flow, click <strong>Generate</strong> to refresh it with the latest updates:</p><ol><li>Click <strong>Generate</strong>. Apono will populate the field with a new description.</li><li>(Optional) Review and manually edit the description.</li><li>(Optional) Provide feedback on the description. Click <img src="/files/TptuLFVtcaHDY5pcWt41" alt="" data-size="line"> (thumbs up icon) if the description was helpful. Click <img src="/files/q0NSG6afsIGcZpdySmwK" alt="" data-size="line"> (thumbs down icon) and add a comment if the description was unhelpful.</li></ol></td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.