Self Serve Access Flows
Create automated access policies for users to request access self-serve
Self serve access flows grant access to a resource based on a user request for a defined time period.
This access flow type is best used for sensitive or highly regulated resources, such as access to production. It also suits just-in-time (JIT) or break-glass access cases.
To create a self-serve access flow, you must define the permitted requestors, available resources, and approvers.
Prerequisites
Cloud resources
One or more resources in a cloud platform that has been integrated with Apono
If you have not already, integrate Apono with a cloud platform to control access to its resources:
Apono identities
One or more identity sources in the Apono system There are various ways to add identities to Apono:
Begin access flow creation
Follow these steps:
On the Access Flows page, click Create Access Flow. The Create Access Flow page appears.
If Space Management is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.
If no space is selected, the access flow will be created at the global account level.
Click Self Serve. The Self Serve fields appear below.
Enter a user-friendly Access flow name.
Define permitted requestors
Follow these steps:
Click When. A settings window appears to set the access period.
Set the access period.
Always
(Default) Applies to the requester conditions at all times
Follow these steps:
Select Always.
Click outside of the window to close it.
Only on
Applies to the requester conditions during a specific time frame
Follow these steps:
Select Only on.
Select one or more days of the week.
In the From field, select a start time from the dropdown menu.
In the to field, select an end time from the dropdown menu.
Select a timezone from the dropdown menu.
Click outside of the window to close it.
Define the permitted requestor:
Click Select attribute to select an attribute, such as User or Group.
(Optional) Click is to select comparative logic from the menu options.
Click Select value to select one or more users or groups from the menu options.
Click outside of the menu to close it.
(Optional) To add another attribute, click + under the last listed attribute. In the new row that appears, repeat steps 3a-d.
If multiple attributes have been defined in step 3, select the conditional logic for the multiple attributes.
Request access on behalf of others
This setting allows requesters to request access for others in common business situations:
New hire onboarding: Prepare access before a new employee’s first day so she or he can start work immediately.
Team enablement: Empower managers to request access for members of their teams.
Contractor access: Grant external users narrow, time-bound access to specific resources.
Incident response: Let team members request access for the right responder without waiting for an Apono admin.
Follow these steps:
Click Themselves. An options menu appears.
Themselves
(Default) Allows the requestor to only request resource access for himself or herself
Direct Reports
Allows the requestor, identified as a manager in the organization’s identity provider (IdP), to request resource access solely for individuals formally assigned as direct reports in the IdP
Others (specify)
Allows the requestor to only request resource access on behalf of others (grantees)
Click outside of the options menu to close it.
(Others (specify)) Define those for whom the requestor can request access:
Click Select attribute to select an attribute, such as User or Group.
(Optional) Click is to select comparative logic from the menu options.
Click Select value to select one or more users or groups from the menu options.
Click outside of the value menu to close it.
(Optional) To add another attribute, click + under the last listed attribute. In the new row that appears, repeat steps 4a-d.
Select the conditional logic for the multiple attributes.
Define the resource
Follow these steps:
Define access to specific resources.
Follow these steps to define access to specific resources:
Under Request access to, click Resources. The filters options appear.
Click Basic.
Filter the resources by one or more of the following filters. Resources matching the selected filters display.
To create complex queries, click AQL to build a query in the code box.
The Apono Query Language enables you to extend your query capabilities beyond the standard options available with the UI.
Integration
Follow these steps to filter by integration:
From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
(Optional) In the Search field, enter a value to filter the list of integrations.
Select one or more integrations. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Resource Type
Follow these steps to filter by resource type:
From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
(Optional) In the Search field, enter a value to filter the list of resource types.
Select one or more resource types. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Resource Name
Follow these steps to filter by resource name:
From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
Contains (a*b)
Does not contain (!a*b)
Starts with (*b)
Ends with (a*)
(Optional) In the Search field, enter a value to filter the list of resource names.
(Equals, Not Equals only) Select one or more resource names. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Permission Name
Follow these steps to filter by permission name:
From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
Contains (a*b)
Does not contain (!a*b)
Starts with (*b)
Ends with (a*)
(Optional) In the Search field, enter a value to filter the list of resource names
(Equals, Not Equals only) Select one or more permission names. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Resource Path
Follow these steps to filter by resource path:
Click
(More filters icon) > Resource Path.From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
Contains (a*b)
Does not contain (!a*b)
Starts with (*b)
Ends with (a*)
(Optional) In the Search field, enter a value to filter the list of resource paths.
Select one or more resource paths. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Resource Source ID
Follow these steps to filter by resource source ID (for example, account, folder, project, Azure subscription, or management group IDs):
Click
(More filters icon) > Resource Source ID.From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
In (in)
Not (not in)
Contains (a*b)
Does not contain (!a*b)
Starts with (*b)
Ends with (a*)
(Optional) In the Search field, enter a value to filter the list of IDs.
Select one or more IDs. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Resource Tag
Follow these steps to filter by resource tag:
Click
(More filters icon) > Resource Tag.(Optional) In the Search field, enter a value to filter the list of resource names.
Click the resource name.
From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
Contains (a*b)
Does not contain (!a*b)
Starts with (*b)
Ends with (a*)
(Optional) In the Search field, enter a value to filter the list of resource tags.
(Equals, Not Equals only) Select one or more resource tags. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Resource Risk Level
Follow these steps to filter by resource risk level:
Click
(More filters icon) > Resource Risk Level.From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
Select one or more resource risk levels. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Permission Risk Level
Follow these steps to filter by permission risk level:
Click
(More filters icon) > Permission Risk Level.From the dropdown menu, select the comparative logic:
Equals (=)
Not Equals (!=)
Select one or more pemission risk level. Only the values meeting the criteria will be shown.
Click outside of the menu to close it.
Click Select Resources or Create Bundle to create a bundle within the flow from the filtered resources.
To ensure you do not exceed the AWS inline policy character limit, read AWS Limitations when adding bundles with AWS resources.
Follow these steps to define access to a specific bundle:
Under Request access to, click Bundles. The list of bundles appears.
(Optional) In the search field, enter a partial or full bundle name to filter the list of bundles.
In the Bundle panel, select a bundle. The contents of the bundle logic appears in the AQL pane.
Click Use Bundle.
Follow these steps to define access to a specific access scope:
Under Request access to, click More Options > Access Scope. The Select access scope menu appears.
(Optional) Enter keywords into the search bar to locate an access scope.
(Optional) Click
(eye icon). A Preview Access Scope pop-up window appears displaying the contents of the access scope.
Select an access scope.
Follow these steps to define access to specific resources:
Under Request access to, click More Options > Integrations. The Select integration menu appears.
(Optional) Enter keywords into the search bar to locate an integration.
Select an integration. The Select resource type panel appears.
Select the resource type.
Click Done. The panel closes.
Click permissions. The Permissions menu appears.
Select one or more permissions to grant the requester.
Click outside the window to close it.
(Optional) Refine the available resources:
Click in the populated to field. A list of resources appears.
Select one or several resources.
By default, the user has access to Any resources. However, the following options allow you to define access more granularly:
Any resources except specific
Select by name
Select by tags
(Optional) Click + Select Resources and repeat step 1 to include another resource.
Set access duration and approval process
Learn about access duration and best practices.
Follow these steps:
Click in the populated Grant for field. The granting period and extend duration options appear.
Set the granting period.
Custom
(Default) Grants the requester access for a custom period
The default granting period is set to 1 hour.
Follow these steps to grant access for a custom period:
Select the first radio button.
From the right dropdown menu, select a time unit.
In the first field, enter a numerical value for the time unit.
In the second field, select a time unit from the dropdown menu.
Indefinite
Grants the requester access indefinitely
Follow this step to set this period:
Click Indefinite.
Enable and define extended access duration.
Allow Extend Duration
Allows requestors to extend active access for a limited duration without submitting a new request
Follow these steps:
Click the toggle on. When enabled, the toggle turns green.
Click in the Allow extending request up to field to choose the number of times the request can be extended, up to a maximum of 10.
Click in the Extend for fields to select the duration of each extension, up to the maximum access duration set for the access flow. The default duration is 30 minutes per extension.
Credential rotation, user cleanup, MFA, and approval requirements apply only to new access requests. Extending access preserves the existing session, user, and credentials.
Click Automatic to select the approval type.
Automatic
Automatically grants the requester access for the specified period
Automatic approval is the default setting.
Approval of
Grants the requester access for the specified period upon the approval of certain parties
This approval type is ideal for production environments and highly sensitive resources.
Follow these steps to set up Approval of:
Click the populated with field. The approval type menu appears.
Click Approval of. The Approval of fields appear.
Click Select attribute to select an IdP attribute.
If you have connected an incident response integration with Apono, the attribute can also be an on-call shift.
(Optional) Click is to select comparative logic from the menu options.
Click Select value to select one or more users or groups from the menu options.
Click outside of the value menu to close it.
(Optional) To add another attribute to the current approver, click + under the last listed attribute. In the new row that appears, repeat steps 3-6.
Select the conditional logic for the multiple attributes.
(Optional) To add another approver, click + under the last approver. In the new approver that appears, repeat steps 3-8.
Select the conditional logic for the multiple groups of approvers.
ANY OF
If you have multiple approval groups, ANY OF only requires one approver belonging to any group to approve access.
ALL OF
If you have multiple approval groups, ALL OF requires one approver per group to approve access.
(Optional) Set the approval escalation.
Set approval escalation
Learn about approval escalation.
Follow these steps to enable approval escalation:
Click + Add Escalation Policy. The setting appears.
For this option to appear, custom approval (Approval of) must be configured for the access flow.
For the Escalate every rule, set the duration that must elapse before escalating to the next tier:
From the Escalate every dropdown menu (the second field), select a time unit.
In the first field, enter a numerical value for the time unit.
Under Escalation Tier #1, click Select attribute to select an IdP attribute, such as User, Group, or Owner.
(Optional) Click is to select comparative logic from the menu options.
Click Select value to select one or multiple users or groups from the menu options.
Click outside of the value menu to close it.
(Optional) To add another attribute, click + under the last listed attribute. In the new row that appears, repeat steps 3-6.
Select the conditional logic for the multiple attributes.
(Optional) To add another escalation tier, repeat steps 3-8.
Logic reference
Comparative Logic
The following tables explain the filter comparative logic.
Requestors and grantees
Is
Checks if values are the same
Examples:
User is Jane.Doe@user.com
Group is Admin_Group
Is not
Checks if values are different
Examples:
User is not Jane.Doe@user.com
Group is not Admin_Group
Does not contain
Checks if a value does NOT contain another value as a substring or pattern
Examples:
User does not contain Jane.Doe@user.com
Group does not contain Admin_Group
Starts with
Checks if a value begins with a specific value or pattern
Examples:
User starts with ja
Group starts with ad
Resources
Equals (=)
Checks if values are the same
Examples:
Resource Type equals DynamoDB Table
Resource Status equals ACTIVE
After filtering by this value, you can select the exact resources to include in your filtered query.
Not Equals (!=)
Checks if values are different
Examples:
Integration does not equal AWS Playground
Resource Type does not equal S3 Bucket
After filtering by this value, you can select the exact resources to include in your filtered query.
Contains (a*b)
Checks if a value contains another value as a substring or pattern
Examples:
Resource Name contains playground
Resource Tag contains true
Does not contain (!a*b)
Checks if a value does NOT contain another value as a substring or pattern
Examples:
Resource Name does not contain production
Permission Name does not contain admin
Starts with (*b)
Checks if a value begins with a specific value or pattern
Examples:
Resource Name starts with aws
Resource Tag for a region starts with eu
Ends with (a*)
Checks if a value ends with a specific value or pattern
Examples:
Resource Name ends with terraform-state
Resource Tag for an env ends with dev
Conditional logic
AND
(Default) Allows the user to request access if they meet all the selected attributes
OR
Allows the user to request access if they meet any of the selected attributes
Enable IGA settings
Apono allows administrators to apply various settings to enhance the security of access flows.
All admin settings are optional.
Access flow labels
Identifies an access flow for streamlined organization and use
When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page.
Follow these steps:
Enter a value.
Press Enter on your keyboard or select an existing label from the filtered list.
Require MFA
Requires grantees to complete multi-factor authentication to complete a request
We strongly recommend enabling MFA for access requests to sensitive resources.
The grantee will need to enable multi-factor authentication.
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Require justification
Requires grantees to enter a justification for their request
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Require Approver Reason
Requires approvers to provide a reason (limited to 124 characters) when approving or rejecting a request
If disabled, providing a reason is optional.
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Requester and grantee cannot self approve
Prevents users from approving their own access requests
If the user is a member of an approval group, they will not receive a notification to approve the request.
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Description
Access flow summary automatically generated after defining the name, requestors, and resources
To keep the description aligned with changes in the access flow, click Generate to refresh it with the latest updates:
Click Generate. Apono will populate the field with a new description.
(Optional) Review and manually edit the description.
(Optional) Provide feedback on the description. Click
(thumbs up icon) if the description was helpful. Click 
(thumbs down icon) and add a comment if the description was unhelpful.
Last updated
Was this helpful?