Documentation and Guides

How to: Use Access Bundles

Creating and requesting access bundles with Apono for quick and easy access management

How to: Use Access Bundles

Overview

How do you manage access to different roles or permission sets from different systems centrally? Is there an easy way to control roles, permission sets, permissions, actions and groups that represent a business use case or task in a single place?

Yes there is, and it's called Apono Bundles!

If some users, groups or shifts require a set of permissions to perform tasks, resolve incidents or do their day-to-day work, they can now request an entire bundle instead of refilling the same form and picking multiple access!

The Apono admin can set up the bundle once in the Admin portal, use it in Access Flows - and voila! Users who are included in these Access Flows can request an entire bundle, or just the parts of the bundle they need.

This can save users a lot of time and energy filling access request forms, especially for recurring access needs (for example, if developers request the same set of permissions to the same set of resources every morning).

Use cases

Think of Bundles as Apono's native IAM Role for all your apps: For example, you'd like to manage access to the same set of permissions to resources but create different access duration and approval flow for different users.

Let's say you want to automate access management to Production resources: Read and Write access to S3 buckets in AWS prod, a K8 production namespace, and a specific AWS IAM role. However, you want your PagerDuty On Call developers to get access automatically upon request for 1 hour and other developers to gain permission for 5 hours with their manager's approval.

You can do that with Bundles: Select your scope of resources and the permissions to them you're interested in and reuse them across Access Flows, only changing the grantees, approvers, and access time.

Do you Want to change your bundle, like adding or removing resources and permissions? Edit your Bundle once, and the change will affect all the Access Flows that contain it.

Mix and match bundles and regular permissions to resources in the same Access Flow.

How to create bundles

  1. Go to Access Flows

  2. Click the Bundles tab

  3. See all of your existing Bundles - you can edit and delete them

  4. Click Create Bundle; pick Integrations, Resources, and Permissions. Add as many as you want and Save

  5. Go to Access Flows, create a new Access Flow, or edit an existing one: in the resources section, you can switch between Integrations and Bundles by clicking the tab on the top right corner.

  6. Feel free to add other bundles and permissions to resources, set your grantee, access time, approver time, and Save/Update.

How to request bundles

For requesters

Submitting an access request

  1. Use the Apono Slack app or /apono command to create a new access request

  2. Click the Bundle Mode button on the top right corner

  3. Pick a bundle from the dropdown menu

    1. Users can only pick bundles accessible to them through an active Access Flow

  4. Pick some or all resources and permissions from the list below

    1. Note: You can pick up to 1,000 objects. If a bundle contains more than 1,000 objects, Select all will not work.

  5. Add a Justification

  6. Submit the request

After submitting an access request

  1. Requesters will receive a single message about each status change

  2. Requesters will receive credentials (access details) for each integration separately

  3. When revoked or expired, access to the entire bundle will be deprovisioned together

For approvers

  1. Approvers will receive one Slack message asking to approve or reject the entire bundle

  2. The message contains:

    1. The requester's email

    2. The bundle name

    3. Integrations

    4. Resources

    5. Permissions

    6. Justification

    7. The reason why you are assigned this request

    8. Approve or Deny

  1. You can only approve or deny the entire bundle.

How to manage and audit bundle access

Activity logs

  1. In the admin portal, navigate to the Activity page

  2. In the Activity page, each bundle will appear as a single line with a single request ID. Click the request row to see a complete breakdown of the resources and permissions in it

Reports

  1. In the admin portal, navigate to the Activity page

  2. Click the Reports tab

  3. When creating a report, each row will represent 1 integration with several resources and permissions separated by commas.

  4. The Bundle Name column represents the name of the bundle. Bundles can be spread into several rows, one row for each integration (see above)

Slack audit channel

  1. If you are using the Apono Slack channel to get updates on access requests statuses, you will receive a single message about each status change

Last updated