Create automated access policies for users to request access self-serve
Self serve access flows grant access to a resource based on a user request for a defined time period.
This access flow type is best used for sensitive or highly regulated resources, such as access to production. It also suits just-in-time (JIT) or break-glass access cases.
To create a self-serve access flow, you must define the permitted requestors, available resources, and approvers.
Follow these steps to define the permitted requestors:
On the page, click Create Access Flow. The Create Access Flow page appears.
If is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.
If no space is selected, the access flow will be created at the global account level.
Click Self Serve. The Self Serve fields appear below.
Enter an alphanumeric, user-friendly Access Flow Name.
Click When. A settings window appears to set the access period.
Other operators include the following:
Is not
Contains
Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access.
(Optional) Add another attribute.
Under the last listed attribute, click +. A new row appears.
What is it good for?
Onboarding new hires – Set up access before day one so they’re ready to go from the start.
Click Themselves to define for whom the requestor can request resource access. An options menu appears.
Select one or several options.
(Others, Both) Define the other users:
Click Select attribute to select an attribute, such as User or Group.
(Optional) Click is to select conditional logic from the menu options.
You can define access to specific resources in an Apono integration, bundle, or access scope.
If you are creating an access flow within a space, only space-specific access scopes or bundles can be used to define the access flow’s resources.
Follow these steps to define access to specific resources:
Under Request access to, click Select target > Integrations.
Select an integration. The Select resource type panel appears.
Learn about .
Follow these steps to define the duration of access:
Click in the populated Grant for field. The granting period settings appear.
Approval of provides in-depth options to customize the approval flow. This approval type is ideal for production environments and highly sensitive resources.
Follow these steps to set up Approval of:
Click the populated with field. The approval type menu appears.
Click Approval of. The Approval of fields appear.
Click Select attribute to select an IdP attribute, such as User, Group, or Owner.
If you have connected an with Apono, the attribute can also be an on-call shift.
(Optional) Click is to select conditional logic from the menu options.
Other operators include the following:
Is not
Contains
Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to approve access.
(Optional) Add another approver condition.
Immediately beneath the last list approver, click +. A new row appears.
Apono allows administrators to apply various settings to enhance the security of access flows.
All admin settings are optional.
Always
(Default) Applies to the requester conditions at all times Follow this step to set this period:
Select Always.
Only on
Applies to the requester conditions during a specific time frame Follow these steps to set a specific period:
In the settings window, select Only on.
Select one or more days of the week.
In the From field, select a start time from the dropdown menu.
Click Select attribute to select an attribute, such as User or Group.
(Optional) Click is to select conditional logic from the menu options.
Does not contain
Starts with
Repeat steps 6-8.
Select the conditional logic for the multiple attributes.
AND
(Default) Allows the user to request access if they meet all the selected attributes
OR
Allows the user to request access if they meet any of the selected attributes
Contractors – Request narrow, temporary access for external contractors.
Team enablement – Empower managers to request access for their team members.
Click Select value to select one or multiple users or groups from the menu options. This selection determines for whom access can be requested.
(Optional) Add another attribute.
Under the last listed attribute, click +. A new row appears.
Repeat steps 12a-c.
Select the conditional logic for the multiple attributes.
Click Done. The panel closes.
Click permissions. The Permissions menu appears.
Select one or more permissions to grant the requester.
(Optional) Refine the available resources:
Click in the populated to field. A list of resources appears.
Select one or several resources.
By default, the user has access to Any resources. However, the following options allow you to define access more granularly:
Any resources except specific
Select by name
Select by tags
(Optional) Add another target:
Click + at the end of the row. A new target row appears.
Repeat steps 1-7 or add a bundle or access scope.
To ensure you do not exceed the AWS inline policy character limit, read AWS Limitations when adding bundles with AWS resources.
Follow these steps to define access to a specific bundle:
Under Request access to, click Select target > Bundles.
(Optional) Click (eye icon). A Preview Bundle pop-up window appears displaying the contents of the bundle.
Select a bundle.
You can also click + Create new bundle if none of the existing bundles meet your needs. The Create Bundle page appears. You can a new bundle.
(Optional) To add another bundle, click +. A new target row appears.
Repeat steps 1-2 or add an or .
Follow these steps to define access to a specific access scope:
Under Request access to, click Select target > Access Scope. The Select access scope menu appears.
You may enter keywords into the search bar to locate an access scope.
(Optional) Click (eye icon). A Preview Access Scope pop-up window appears displaying the contents of the access scope.
Select an access scope.
You can also click + Create New Access Scope if none of the existing access scopes meet your needs. The Inventory page appears. You can and the new access scope.
(Optional) To add another access scope, click +. A new target row appears.
Repeat steps 1-3 or add an or .
Automatic
Automatically grants the requester access for the specified period Automatic approval is the default setting.
Approval of
Grants the requester access for the specified period upon the approval of certain parties For more information, learn how to .
Click Create Access Flow.
Does not contain
Starts with
Repeat steps 3-5 to add another approver to the group.
Select the conditional logic for the multiple approvers.
AND
(Default) If you have multiple attributes in the approval group, AND requires the approver to meet all the attributes.
OR
If you have multiple attributes in the approval group, OR requires the approver to meet only one of the attributes.
(Optional) Add another approver group.
Beneath the last approver group, click +. A new approval group appears.
Repeat steps 3-5 to add another approver to the group.
Select the conditional logic for the multiple groups of approvers.
Cloud resources
One or more resources in a cloud platform that has been integrated with Apono
If you have not already, integrate Apono with a cloud platform to control access to its resources:
Apono identities
One or more identity sources in the Apono system There are various ways to add identities to Apono:
Themselves
(Default) Allows the requestor to only request resource access for himself or herself
Direct Reports
Allows the requestor, identified as a manager in the organization’s identity provider (IdP), to request resource access solely for individuals formally assigned as direct reports in the IdP
Others (specify)
Allows the requestor to only request resource access on behalf of others (grantees)
Custom
(Default) Grants the requester access for a custom period The default granting period is set to 1 hour. Follow these steps to grant access for a custom period:
Select the first radio button.
From the right dropdown menu, select a time unit.
In the first field, enter a numerical value for the time unit.
In the second field, select a time unit from the dropdown menu.
Indefinite
Grants the requester access indefinitely Follow this step to set this period:
Click Indefinite.
Access flow labels
Identifies an access flow for streamlined organization and use
When assigned to an access flow, labels appear in the access flow tiles on the Access Flows page.
Follow these steps:
Enter a value.
Press Enter on your keyboard or select an existing label from the filtered list.
Require MFA
Requires grantees to complete multi-factor authentication to complete a request
We strongly recommend enabling MFA for access requests to sensitive resources.
The grantee will need to enable multi-factor authentication.
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Require justification
Requires grantees to enter a justification for their request
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Require Approver Reason
Requires approvers to provide a reason (limited to 124 characters) when approving or rejecting a request
If disabled, providing a reason is optional.
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Requester and grantee cannot self approve
Prevents users from approving their own access requests
If the user is a member of an approval group, they will not receive a notification to approve the request.
Follow this step:
Click the toggle. When enabled, the toggle turns green.
Allow extending request
Allows requestors to extend active access for a limited duration without submitting a new request
Follow these steps:
Click the toggle. When enabled, the toggle turns green.
Click in the Allow extending request up to field to choose the number of times the request can be extended, up to a maximum of 10.
Click in the Extend for fields to select the duration of each extension, up to the maximum access duration set for the access flow. The default duration is 30 minutes per extension.
Credential rotation, user cleanup, MFA, and approval requirements apply only to new access requests. Extending access preserves the existing session, user, and credentials.
In the to field, select an end time from the dropdown menu.
Select a timezone from the dropdown menu.
AND
(Default) Allows the user to request access if they meet all the selected attributes
OR
Allows the user to request access if they meet any of the selected attributes
ANY OF
If you have multiple approval groups, ANY OF only requires one approver belonging to any group to approve access.
ALL OF
If you have multiple approval groups, ALL OF requires one approver per group to approve access.
Require requestors to specify their desired access duration to ensure least privilege
Access duration defines how long access is granted to requestors. When this feature is enabled, admins require requestors to specify how long they need access, up to a maximum duration set within a self-service access flow.
By enforcing time limits, access duration reduces standing access, improves accountability, and supports just-in-time access aligned with the principle of least privilege.
When a request is submitted, the approver sees the requested duration along with other request details. Once approved, access is granted only for the specified period and is revoked when the access duration expires. If the requestor needs more time, a new access request should be submitted unless extended access has been enabled for the access flow.
All Apono access requests, approvals, and expirations are logged and retained for at least 36 months. For longer retention needs, export this data to your organization’s storage tools.
By default, access duration is disabled. We recommend enabling the following setting so access is granted only for the minimum time required to complete a task.
Follow this step to enable access duration:
On the page, click the Require duration for access request toggle to on. The toggle will turn green.
Once enabled, requestors must specify a duration, up to the defined by the access flow. If the requested duration exceeds the limit or is invalid, an error message prompts the requestor to enter a valid duration.
Access duration should be based on the risk and sensitivity of an access flow's resources. Use the following recommendations as a starting point to define durations that meet your organization’s security and operational needs.
Typical Requested Duration reflects how long access is usually needed to complete a task. Access Duration defines the upper limit enforced by the access flow.
After access durations are defined, Apono analyzes access requests and identifies Excessive access duration when requested durations are consistently below the configured maximum.
Through , Apono recommends reviewing and reducing the maximum access duration to better align with least-privilege access.
Sensitive Data (PII, Financial, Customer)
Up to 1 hour
2 hours
Approval of
Settings:
Require Approver Reason
Requester and grantee cannot self approve
Guidance:
The approver should be able to authorize sensitive data access such as Security team, GRC, or manager.
Break-glass / Emergency
Up to 1 hour
2 hours
Approval of
OR
Automatic Approval
Setting:
Require MFA
Guidance:
The request should be reviewed post-incident.
Development / Sandbox / Staging / QA
Quarterly
Conditional, based on role
Automatic Approval
Guidance:
Longer durations are acceptable due to lower risk, especially when tied to developer roles.
Production Systems
Up to 2 hours
4 hours
Approval of
OR
Automatic Approval
Settings:
Require MFA
Requester and grantee cannot self approve
Guidance:
Approval of: Choose an approver from a production team, such as DevOps or Infra.
Automatic Approval: Select this approval type for ongoing incidents or during on-call shifts.
Automatic access flows automatically grant and revoke access to a resource based on user context. This access flow type is best used for role-based access control (RBAC) and on-call shift baselines.
To create an automatic access flow, you must define the permitted users and available resources.
Follow these steps to define the permitted grantees:
On the page, click Create Access Flow. The Create Access Flow page appears.
If is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.
If no space is selected, the access flow will be created at the global account level.
Click Automatic. The Automatic fields appear below.
Enter an alphanumeric, user-friendly Access Flow Name.
Click Select attribute to select an IdP attribute, such as User or Group.
Other operators include the following:
Is not
Contains
Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access.
(Optional) Add another user.
Under the last listed requestor, click +. A new row appears.
You can define access to specific resources in an Apono integration, bundle, or access scope.
If you are creating an access flow within a space, only space-specific access scopes or bundles can be used to define the access flow’s resources.
To ensure you do not exceed the AWS inline policy character limit, read when adding AWS resources.
Follow these steps to define access to specific resources:
Under They will have access to, click Select target > Integrations.
Follow this step to add an access flow label:
In the Access flow labels, enter a value and press Enter OR select an existing label.
A label identifies an access flow for streamlined organization and use. When assigned to an access flow, labels appear in the access flow tiles on the page.
After defining the and , follow these steps to review and save an automatic access flow:
Click Review and Create. The Automatic Access Flow Summary appears.
The access flow summary provides a visual overview of the relationship between the requesters and the target resource.
Click Create and Grant.
Approval of: Choose an approver from an on-call shift or production team, such as DevOps or Infra.
Automatic Approval: Select this approval type for ongoing incidents or during on-call shifts.
(Optional) Click is to select conditional logic from the menu options.
Does not contain
Starts with
Repeat steps 4-7.
Select the conditional logic for the multiple requestors.
AND
(Default) Allows the user to request access if they meet all the attributes of the user group
OR
Allows the user to request access if they meet any of the attributes of the user group
Select an integration. The Select resource type panel appears.
Select the resource type.
Click Done. The panel closes.
Click permissions. The Permissions menu appears.
Select one or more permissions to grant the requester.
(Optional) Refine the available resources:
Click in the populated to field. A list of resources appears.
Select one or several resources.
By default, the user has access to Any resources. However, the following options allow you to define access more granularly:
Any resources except specific
Select by name
Select by tags
(Optional) Add another target:
Click + at the end of the row. A new target row appears.
Repeat steps 1-7 or add a bundle or access scope.
To ensure you do not exceed the AWS inline policy character limit, read AWS Limitations when adding bundles with AWS resources.
Follow these steps to define access to a specific bundle:
Under They will have access to, click Select target > Bundles.
Select a bundle.
(Optional) To add another bundle, click +. A new target row appears.
Repeat steps 1-2 or add an or .
Follow these steps to define access to a specific access scope:
Under They will have access to, click Select target > Access Scope. The Select access scope menu appears.
You may enter keywords into the search bar to locate an access scope.
(Optional) Click (eye icon) to preview the contents of the access scope in a popup window.
Select an access scope.
You can also click + Create New Access Scope if none of the existing access scopes meet your needs. The Inventory page appears. You can and the new access scope.
(Optional) To add another access scope, click +. A new target row appears.
Repeat steps 1-3 or add an or .
Cloud resources
One or more resources in a cloud platform that has been integrated with Apono If you have not already, integrate Apono with a cloud platform to control access to its resources:
Apono identities
One or more identity sources in the Apono system There are various ways to add identities to Apono:
