# Self Serve Access Flows Self serve access flows grant access to a resource based on a user request for a defined time period. This access flow type is best used for sensitive or highly regulated resources, such as access to production. It also suits just-in-time (JIT) or break-glass access cases. To create a self-serve access flow, you must define the permitted requestors, available resources, and approvers.

Create Access Flow page

*** ## Prerequisites
ItemDescription
Cloud resources

One or more resources in a cloud platform that has been integrated with Apono

If you have not already, integrate Apono with a cloud platform to control access to its resources:

Apono identities

One or more identity sources in the Apono system

There are various ways to add identities to Apono:

*** ## Define permitted requestors

Defining permitted requestors

Follow these steps to define the permitted requestors: 1. On the **Access Flows** page, click **Create Access Flow**. The **Create Access Flow** page appears. {% hint style="success" %} If [Space Management](https://docs.apono.io/docs/user-administration/space-management) is enabled, select a space from the space selector at the top of the page to create a space-specific access flow. If no space is selected, the access flow will be created at the global account level. {% endhint %} 2. Click **Self Serve**. The **Self Serve** fields appear below. 3. Enter an alphanumeric, user-friendly **Access Flow Name**. 4. Click **When**. A settings window appears to set the access period. 5. Set the access period.
PeriodDescription
Always

(Default) Applies to the requester conditions at all times

Follow this step to set this period:

  1. Select Always.
Only on

Applies to the requester conditions during a specific time frame

Follow these steps to set a specific period:

  1. In the settings window, select Only on.
  2. Select one or more days of the week.
  3. In the From field, select a start time from the dropdown menu.
  4. In the to field, select an end time from the dropdown menu.
  5. Select a timezone from the dropdown menu.
6. Click **Select attribute** to select an attribute, such as **User** or **Group**. 7. (Optional) Click **is** to select conditional logic from the menu options. {% hint style="info" %} Other operators include the following: * **Is not** * **Contains** * **Does not contain** * **Starts with** {% endhint %} 8. Click **Select value** to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access. 9. (Optional) Add another attribute. 1. Under the last listed attribute, click **+**. A new row appears. 2. Repeat steps **6-8**. 3. Select the conditional logic for the multiple attributes.
ConditionDescription
AND(Default) Allows the user to request access if they meet all the selected attributes
ORAllows the user to request access if they meet any of the selected attributes
### Requesting Access on Behalf of Others {% hint style="success" %} **What is it good for?** * Onboarding new hires – Set up access before day one so they’re ready to go from the start. * Incident response – Get help from teammates fast, without involving Apono admins. * Contractors – Request narrow, temporary access for external contractors. * Team enablement – Empower managers to request access for their team members. {% endhint %} 1. Click **Themselves** to define for whom the requestor can request resource access. An options menu appears. 2. Select one or several options.
OptionDescription
Themselves(Default) Allows the requestor to only request resource access for himself or herself
Direct ReportsAllows the requestor, identified as a manager in the organization’s identity provider (IdP), to request resource access solely for individuals formally assigned as direct reports in the IdP
Others (specify)Allows the requestor to only request resource access on behalf of others (grantees)
3. (Others, Both) Define the other users: 1. Click **Select attribute** to select an attribute, such as **User** or **Group**. 2. (Optional) Click **is** to select conditional logic from the menu options. 3. Click **Select value** to select one or multiple users or groups from the menu options. This selection determines for whom access can be requested. 4. (Optional) Add another attribute. 1. Under the last listed attribute, click **+**. A new row appears. 2. Repeat steps **3a-c**. 3. Select the conditional logic for the multiple attributes.
ConditionDescription
AND(Default) Allows the user to request access if they meet all the selected attributes
ORAllows the user to request access if they meet any of the selected attributes
*** ## Define the resource

Defining integration, access scope, and bundle resources

You can define access to specific resources in an Apono integration, bundle, or access scope. {% hint style="info" %} If you are creating an access flow within a space, **only space-specific access scopes or bundles** can be used to define the access flow’s resources. {% endhint %} {% tabs %} {% tab title="Integrations" %} Follow these steps to define access to specific resources: 1. Under **Request access to**, click **Select target > Integrations**. 2. Select an integration. The **Select resource type** panel appears. 3. Select the resource type. 4. Click **Done**. The panel closes. 5. Click **permissions**. The **Permissions** menu appears. 6. Select one or more permissions to grant the requester. 7. (Optional) Refine the available resources: 1. Click in the populated **to** field. A list of resources appears. 2. Select one or several resources. {% hint style="info" %} By default, the user has access to **Any resources**. However, the following options allow you to define access more granularly: * **Any resources except specific** * **Select by name** * **Select by tags** {% endhint %} 8. (Optional) Add another target: 1. Click **+** at the end of the row. A new target row appears. 2. Repeat steps **1-7** or add a [bundle](#bundles) or [access scope](#access-scope). {% endtab %} {% tab title="Bundles" %} {% hint style="success" %} To ensure you do not exceed the AWS inline policy character limit, read [AWS Limitations](https://docs.apono.io/docs/aws-environment/aws-integrations/integrate-an-aws-account-or-organization/aws-best-practices) when adding bundles with AWS resources. {% endhint %} Follow these steps to define access to a specific bundle: 1. Under **Request access to**, click **Select target > Bundles**. 2. (Optional) Click (eye icon). A **Preview Bundle** pop-up window appears displaying the contents of the bundle. 3. Select a bundle. {% hint style="success" %} You can also click **+ Create new bundle** if none of the existing bundles meet your needs. The **Create Bundle** page appears. You can [create](https://docs.apono.io/docs/access-flows/create-bundles) a new bundle. {% endhint %} 4. (Optional) To add another bundle, click **+**. A new target row appears. 5. Repeat steps **1-2** or add an [integration](#integrations) or [access scope](#access-scope). {% endtab %} {% tab title="Access Scope" %} Follow these steps to define access to a specific access scope: 1. Under **Request access to**, click **Select target > Access Scope**. The **Select access scope** menu appears. {% hint style="success" %} You may enter keywords into the search bar to locate an access scope. {% endhint %} 2. (Optional) Click (eye icon). A **Preview Access Scope** pop-up window appears displaying the contents of the access scope. 3. Select an access scope. {% hint style="success" %} You can also click **+ Create New Access Scope** if none of the existing access scopes meet your needs. The **Inventory** page appears. You can [create](https://docs.apono.io/docs/inventory/access-scopes#create-an-access-scope) and [use](https://docs.apono.io/docs/inventory/access-scopes#use-an-access-scope) the new access scope. {% endhint %} 4. (Optional) To add another access scope, click **+**. A new target row appears. 5. Repeat steps **1-3** or add an [integration](#integrations) or [bundle](#bundles). {% endtab %} {% endtabs %} *** ## Set access duration and approval process {% hint style="success" %} Learn about [access duration and best practices](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/access-duration). {% endhint %}

Access duration and approval process

Follow these steps to define the duration of access: 1. Click in the populated **Grant for** field. The granting period settings appear.
PeriodDescription
Custom

(Default) Grants the requester access for a custom period

The default granting period is set to 1 hour.

Follow these steps to grant access for a custom period:

  1. Select the first radio button.
  2. From the right dropdown menu, select a time unit.
  3. In the first field, enter a numerical value for the time unit.
  4. In the second field, select a time unit from the dropdown menu.
Indefinite

Grants the requester access indefinitely

Follow this step to set this period:

  1. Click Indefinite.
2. Click **Automatic** to select the approval type.
PeriodDescription
AutomaticAutomatically grants the requester access for the specified period

Automatic approval is the default setting.
Approval ofGrants the requester access for the specified period upon the approval of certain parties

For more information, learn how to set up custom approval.
3. Click **Create Access Flow**. ### Set up custom approval

Custom approval flow

**Approval of** provides in-depth options to customize the approval flow. This approval type is ideal for production environments and highly sensitive resources. Follow these steps to set up **Approval of**: 1. Click the populated **with** field. The approval type menu appears. 2. Click **Approval of**. The **Approval of** fields appear. 3. Click **Select attribute** to select an IdP attribute, such as **User**, **Group**, or **Owner**. {% hint style="info" %} If you have connected an [incident response integration](https://docs.apono.io/docs/additional-integrations/incident-response-integrations/opsgenie) with Apono, the attribute can also be an on-call shift. {% endhint %} 4. (Optional) Click **is** to select conditional logic from the menu options. {% hint style="info" %} Other operators include the following: * **Is not** * **Contains** * **Does not contain** * **Starts with** {% endhint %} 5. Click **Select value** to select one or multiple users or groups from the menu options. This selection determines who is permitted to approve access. 6. (Optional) Add another approver condition. 1. Immediately beneath the last list approver, click **+**. A new row appears. 2. Repeat steps **3-5** to add another approver to the group. 3. Select the conditional logic for the multiple approvers.
ConditionDescription
AND(Default) If you have multiple attributes in the approval group, AND requires the approver to meet all the attributes.
ORIf you have multiple attributes in the approval group, OR requires the approver to meet only one of the attributes.
7. (Optional) Add another approver group. 1. Beneath the last approver group, click **+**. A new approval group appears. 2. Repeat steps **3-5** to add another approver to the group. 3. Select the conditional logic for the multiple groups of approvers.
ConditionDescription
ANY OFIf you have multiple approval groups, ANY OF only requires one approver belonging to any group to approve access.
ALL OFIf you have multiple approval groups, ALL OF requires one approver per group to approve access.
*** ## Set approval escalation {% hint style="success" icon="lightbulb" %} Learn about [approval escalation](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/approval-escalation). {% endhint %}

Approval escalation settings

Follow these steps to enable approval escalation: 1. Click **+ Add Escalation Policy**. The setting appears. {% hint style="info" %} For this option to appear, [custom approval](#set-up-custom-approval) must be configured for the access flow. {% endhint %} 2. For the **Escalate every** rule, set the duration that must elapse before escalating to the next tier: 1. From the **Escalate every** dropdown menu (the second field), select a time unit. 2. In the first field, enter a numerical value for the time unit. 3. Under **Escalation Tier #1**, click **Select attribute** to select an IdP attribute, such as **User**, **Group**, or **Owner**. 4. (Optional) Click **is** to select conditional logic from the menu options. {% hint style="info" %} Other operators include the following: * **Is not** * **Contains** * **Does not contain** * **Starts with** {% endhint %} 4. Click **Select value** to select one or multiple users or groups from the menu options. This selection determines who is permitted to approve access. 5. (Optional) Add another approver condition. 1. Immediately beneath the last list approver, click **+**. A new row appears. 2. Repeat steps **2-4** to add another approver to the group. 3. Select the conditional logic for the multiple approvers.
ConditionDescription
AND(Default) If you have multiple attributes in the approval group, AND requires the approver to meet all the attributes.
ORIf you have multiple attributes in the approval group, OR requires the approver to meet only one of the attributes.
6. Repeat steps **2-5** for each escalation tier. *** ## Enable IGA settings Apono allows administrators to apply various settings to enhance the security of access flows. {% hint style="info" %} All admin settings are optional. {% endhint %}

Access flow settings

SettingDescription
Access flow labels

Identifies an access flow for streamlined organization and use

When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page.

Follow these steps:

  1. Enter a value.
  2. Press Enter on your keyboard or select an existing label from the filtered list.
Require MFA

Requires grantees to complete multi-factor authentication to complete a request


We strongly recommend enabling MFA for access requests to sensitive resources.

The grantee will need to enable multi-factor authentication.

Follow this step:

  1. Click the toggle. When enabled, the toggle turns green.
Require justification

Requires grantees to enter a justification for their request

Follow this step:

  1. Click the toggle. When enabled, the toggle turns green.
Require Approver Reason

Requires approvers to provide a reason (limited to 124 characters) when approving or rejecting a request


If disabled, providing a reason is optional.

Follow this step:

  1. Click the toggle. When enabled, the toggle turns green.
Requester and grantee cannot self approve

Prevents users from approving their own access requests

If the user is a member of an approval group, they will not receive a notification to approve the request.

Follow this step:

  1. Click the toggle. When enabled, the toggle turns green.
Allow extending request

Allows requestors to extend active access for a limited duration without submitting a new request

Follow these steps:

  1. Click the toggle. When enabled, the toggle turns green.
  2. Click in the Allow extending request up to field to choose the number of times the request can be extended, up to a maximum of 10.
  3. Click in the Extend for fields to select the duration of each extension, up to the maximum access duration set for the access flow. The default duration is 30 minutes per extension.

Credential rotation, user cleanup, MFA, and approval requirements apply only to new access requests. Extending access preserves the existing session, user, and credentials.

Description

Access flow summary automatically generated after defining the name, requestors, and resources

To keep the description aligned with changes in the access flow, click Generate to refresh it with the latest updates:

  1. Click Generate. Apono will populate the field with a new description.
  2. (Optional) Review and manually edit the description.
  3. (Optional) Provide feedback on the description. Click (thumbs up icon) if the description was helpful. Click (thumbs down icon) and add a comment if the description was unhelpful.