Revoke Access
How to automate access revocation to maintain least privilege for DevOps
A big, often overlooked, part of access management is revoking access; de-provisioning access, removing group membership and deleting orphaned accounts.
Apono helps automate this process as part of its access lifecycle:
Benefits of working with Apono
Automated grant & revoke
Apono helps automate the entire access lifecycle:
The admin defines the access lifetime per app, environment, resource and permission
The user requests access with Slack, Teams or CLI
According to each Access Flow, access is approved automatically or by approver(s)
When the access lifetime ends, Apono revokes the access for you automatically
All requests, approvals, grants and revocations are fully audited
Congratulations! You just automated the complete access lifecycle, saving time and resources and reducing standing access
Panic button
Apono serves as your central control tower for shut-down - in case of emergency or incident, you can revoke all active access directly from Apono:
Admins can use the Apono UI to find and revoke all active access
Approvers (managers, resource owners, developers on duty, DevOps, DevSecOps, SRE, IAM Ops, CISO or anyone else you want) can revoke access
End users can revoke their own access
Admin and approver control
With Apono, admins and approvers have full control over who can access what:
Admins can define Access Flows with automatic revocation
Admins can find all active access and revoke it
Approvers (managers, resource owners, developers on duty, DevOps, DevSecOps, SRE, IAM Ops, CISO or anyone else you want) can revoke all the active access they approved
Access visibility
It's hard to keep track of all the active access in the organization. Access can be granted in the IdP for users and groups, users can be granted access directly from apps' IAM portals, using roles, permission sets or users (personal or shared).
This causes access drift, shadow admins, orphaned accounts, partial offboarding, and unused access which increases downtime and attack risks.
Apono lets you find out who has access to what in the organization:
BEFORE
Take standing access for users and groups and turn into dynamic, just-in-time, on-demand, temporary access. It's dynamic, easy to manage and fully audited.
AFTER
Resolve stuck revocations
In rare cases, access requests may remain in the Revoking state when Apono attempts to revoke access and cannot reach the integration or connector. This can happen when the integration, connector, pod, cluster, or target environment is unavailable.
Follow these steps to resolve stuck revocations:
In your affected target environment, attempt to restore the affected integration or connector so Apono can complete the revocation.
After connectivity is restored, Apono can continue the revocation process and remove access from the target environment.
If connectivity cannot be restored, continue to step 2.
On the Activity page, from the Status filter, select Revoking. The Mark as Canceled button appears on the page.
Click Mark as Canceled. The Mark as Revoke Canceled confirmation window appears.
Use Mark as Canceled only when you cannot restore the integration or connector and need to unblock integration deletion.
Canceling a revocation does not confirm that access has been removed from the target environment. The access may still be active. You must manually remove the access from the target environment.
After reviewing the confirmation window message, click Mark As Canceled. The pop-up window closes. The affected access requests (filtered in step 2) change to Revoke Canceled status. This process might take a few minutes.
In the target environment, manually remove the user access to prevent standing access.
Last updated
Was this helpful?