LogoLogo
Documentation and Guides
Documentation and Guides
  • ABOUT APONO
    • Why Choose Apono
    • Security and Architecture
    • Glossary
  • GETTING STARTED
    • How Apono Works
    • Getting started
    • Access Discovery
    • Integrating with Apono
  • CONNECTORS AND SECRETS
    • Apono Integration Secret
    • High Availability for Connectors
    • Installing a connector with Docker
    • Manage integrations
    • Manage connectors
    • S3 Storage
  • AWS ENVIRONMENT
    • AWS Overview
    • Apono Connector for AWS
      • Installing a connector on EKS Using Terraform
      • Updating a connector in AWS
      • Installing a connector on AWS ECS using Terraform
    • AWS Integrations
      • Integrate an AWS account or organization
        • Auto Discover AWS RDS Instances
        • AWS Best Practices
      • Amazon Redshift
      • RDS PostgreSQL
      • AWS RDS MySQL
      • Integrate with EKS
      • AWS Lambda Custom Integration
      • EC2 via Systems Manager Agent (SSM)
  • AZURE ENVIRONMENT
    • Apono Connector for Azure
      • Install an Azure connector on ACI using Azure CLI
      • Install an Azure connector on ACI using PowerShell
      • Install an Azure connector on ACI using Terraform
      • Updating a connector in Azure
    • Azure Integrations
      • Integrate with Azure Management Group or Subscription
        • Auto Discover Azure SQL Databases
      • Azure MySQL
      • Azure PostgreSQL
      • Integrate with AKS
  • GCP ENVIRONMENT
    • Apono Connector for GCP
      • Installing a GCP connector on Cloud Run using CLI
      • Installing a GCP connector on GKE using CLI (Helm)
      • Installing a GCP connector on GKE using Terraform
      • Updating a connector in Google Cloud
    • GCP Integrations
      • Integrate a GCP organization or project
      • CloudSQL - MySQL
      • CloudSQL - PostgreSQL
      • Google Cloud Functions
      • Integrate with GKE
      • AlloyDB
  • KUBERNETES ENVIRONMENT
    • Apono Connector for Kubernetes
      • Installing a connector on Kubernetes with AWS permissions
      • Updating a Kubernetes connector
    • Kubernetes Integrations
      • Integrate with Self-Managed Kubernetes
  • ADDITIONAL INTEGRATIONS
    • Databases and Data Repositories
      • Microsoft SQL Server
      • MongoDB
      • MongoDB Atlas
      • MongoDB Atlas Portal
      • MySQL
      • Oracle Database
      • PostgreSQL
      • RabbitMQ
      • Redis Cloud (Redislabs)
      • Snowflake
      • Vertica
      • MariaDB
    • Network Management
      • SSH Servers
      • RDP Servers
      • Windows Domain Controller
      • AWS EC2 SSH Servers
      • Azure VM SSH Servers
      • Installing the Apono HTTP Proxy
    • Development Tools
      • GitHub
      • Rancher
    • Identity Providers
      • Okta SCIM
      • Okta Groups
      • Okta SSO for Apono logins
      • Google Workspace (Gsuite)
      • Google Workspace (GSuite) Groups
      • Azure Active Directory (Microsoft Entra ID)
      • Azure Active Directory (Entra ID) Groups
      • Jumpcloud
      • JumpCloud Groups
      • OneLogin
      • OneLogin Group
      • LDAP Groups
      • The Manager Attribute in Access Flows
      • HiBob
      • Ping Identity SSO
    • Incident Response Integrations
      • Opsgenie
      • PagerDuty
      • VictorOps (Splunk On-Call)
      • Zenduty
    • ChatOps Integrations
      • Slack integration
      • Teams integration
      • Backstage Integration
    • Secret Management
      • 1Password
  • WEBHOOK INTEGRATIONS
    • Webhooks Overview
    • Anomaly Webhook
    • Audit Log Webhook
    • Request Webhook
      • Custom Webhooks
      • Communications and Notifications
        • Slack Outbound Webhooks
        • Teams
        • Outlook and Gmail (Using Azure Logic App)
      • ITSM
        • Freshdesk
        • Jira
        • ServiceNow
        • Zendesk
        • Freshservice
        • ServiceDesk Plus
      • Logs and SIEMs
        • Coralogix
        • Datadog
        • Logz.io
        • Grafana
        • New Relic
        • SolarWinds
        • Sumo Logic
        • Cortex
        • Logpoint
        • Splunk
        • Microsoft Sentinel
      • Orchestration and workflow builders
        • Okta Workflows
        • Torq
    • Integration Webhook
    • Webhook Payload References
      • Audit Log Webhook Payload Schema Reference
      • Webhook Payload Schema Reference
    • Manage webhooks
    • Troubleshoot a webhook
    • Manual Webhook
      • ITSM
        • PagerDuty
  • ACCESS FLOWS
    • Access Flows
      • What are Access Flows?
    • Create Access Flows
      • Self Serve Access Flows
      • Automatic Access Flows
      • Access Duration
    • Manage Access Flows
      • Right Sizing
    • Revoke Access
    • Dynamic Access Management
      • Resource and Integration Owners
    • Common Use Cases
      • Ensuring SLA
      • Protecting PII and Customer Data
      • Production Stability and Management
      • Break Glass Protocol
    • Create Bundles
    • Manage Bundles
  • ACCESS REQUESTS AND APPROVALS
    • Slack
      • Requesting Access with Slack
      • Approving Access with Slack
      • Reviewing historical requests with Slack
    • Teams
      • Requesting Access with Teams
      • Approving Access with Teams
    • CLI
      • Install and manage the Apono CLI
      • Requesting Access with CLI
    • Web Portal
      • Requesting Access with the Web Portal
      • Approving Access with the Web Portal
      • Reviewing historical requests with the Web Portal
    • Freshservice
    • Favorites
  • Inventory
    • Inventory Overview
    • Inventory
    • Access Scopes
    • Risk Scores
    • Apono Query Language
  • AUDITS AND REPORTS
    • Activity Overview
      • Activity
      • Create Reports
      • Manage Reports
    • Compliance: Audit and Reporting
    • Auditing Access in Apono
    • Admin Audit Log (Syslog)
  • HELP AND DEBUGGING
    • Integration Status Page
    • Troubleshooting Errors
  • ARCHITECTURE AND SECURITY
    • Anomaly Detection
    • Multi-factor Authentication
    • Credentials Rotation Policy
    • Periodic User Cleanup & Deletion
    • End-user Authentication
    • Personal API Tokens
  • User Administration
    • Role-Based Access Control (RBAC) Reference
    • Create Identities
    • Manage Identities
Powered by GitBook
On this page
  • How to: Use Access Bundles
  • Overview
  • Use cases
  • How to create bundles
  • How to request bundles
  • For requesters
  • For approvers
  • How to manage and audit bundle access
  • Activity logs
  • Reports
  • Slack audit channel

Was this helpful?

Export as PDF
  1. ACCESS FLOWS

How to: Use Access Bundles

Creating and requesting access bundles with Apono for quick and easy access management

How to: Use Access Bundles

Overview

How do you manage access to different roles or permission sets from different systems centrally? Is there an easy way to control roles, permission sets, permissions, actions and groups that represent a business use case or task in a single place?

Yes there is, and it's called Apono Bundles!

If some users, groups or shifts require a set of permissions to perform tasks, resolve incidents or do their day-to-day work, they can now request an entire bundle instead of refilling the same form and picking multiple access!

The Apono admin can set up the bundle once in the Admin portal, use it in Access Flows - and voila! Users who are included in these Access Flows can request an entire bundle, or just the parts of the bundle they need.

This can save users a lot of time and energy filling access request forms, especially for recurring access needs (for example, if developers request the same set of permissions to the same set of resources every morning).

Use cases

Think of Bundles as Apono's native IAM Role for all your apps: For example, you'd like to manage access to the same set of permissions to resources but create different access duration and approval flow for different users.

Let's say you want to automate access management to Production resources: Read and Write access to S3 buckets in AWS prod, a K8 production namespace, and a specific AWS IAM role. However, you want your PagerDuty On Call developers to get access automatically upon request for 1 hour and other developers to gain permission for 5 hours with their manager's approval.

You can do that with Bundles: Select your scope of resources and the permissions to them you're interested in and reuse them across Access Flows, only changing the grantees, approvers, and access time.

Do you Want to change your bundle, like adding or removing resources and permissions? Edit your Bundle once, and the change will affect all the Access Flows that contain it.

Mix and match bundles and regular permissions to resources in the same Access Flow.

How to create bundles

  1. Go to Access Flows

  2. Click the Bundles tab

  3. See all of your existing Bundles - you can edit and delete them

  4. Click Create Bundle; pick Integrations, Resources, and Permissions. Add as many as you want and Save

  5. Go to Access Flows, create a new Access Flow, or edit an existing one: in the resources section, you can switch between Integrations and Bundles by clicking the tab on the top right corner.

  6. Feel free to add other bundles and permissions to resources, set your grantee, access time, approver time, and Save/Update.

How to request bundles

For requesters

Submitting an access request

  1. Use the Apono Slack app or /apono command to create a new access request

  2. Click the Bundle Mode button on the top right corner

  3. Pick a bundle from the dropdown menu

    1. Users can only pick bundles accessible to them through an active Access Flow

  4. Pick some or all resources and permissions from the list below

    1. Note: You can pick up to 1,000 objects. If a bundle contains more than 1,000 objects, Select all will not work.

  5. Add a Justification

  6. Submit the request

After submitting an access request

  1. Requesters will receive a single message about each status change

  2. Requesters will receive credentials (access details) for each integration separately

  3. When revoked or expired, access to the entire bundle will be deprovisioned together

For approvers

  1. Approvers will receive one Slack message asking to approve or reject the entire bundle

  2. The message contains:

    1. The requester's email

    2. The bundle name

    3. Integrations

    4. Resources

    5. Permissions

    6. Justification

    7. The reason why you are assigned this request

    8. Approve or Deny

  1. You can only approve or deny the entire bundle.

How to manage and audit bundle access

Activity logs

  1. In the admin portal, navigate to the Activity page

  2. In the Activity page, each bundle will appear as a single line with a single request ID. Click the request row to see a complete breakdown of the resources and permissions in it

Reports

  1. In the admin portal, navigate to the Activity page

  2. Click the Reports tab

  3. When creating a report, each row will represent 1 integration with several resources and permissions separated by commas.

  4. The Bundle Name column represents the name of the bundle. Bundles can be spread into several rows, one row for each integration (see above)

Slack audit channel

  1. If you are using the Apono Slack channel to get updates on access requests statuses, you will receive a single message about each status change

Last updated 7 months ago

Was this helpful?

How to create an Apono bundle