Create and customize an access flow from the Apono UI
An access flow is an automated, dynamic permissions workflow that allows admins to define access to a set of resources.
The Apono UI allows you to create customized access flows to fit your access management needs. Users can request a range of predefined permissions through various channels to ensure that access to your resources is granted securely for an appropriate length of time.
Creating an access flow offers you the following benefits:
Adapt permissions dynamically based on context
Enhance security and compliance by structuring approval policies
Allow users to request access through convenient channels such as Slack, Teams, command-line interface (CLI) or magic links
Reduce administrative overhead with a rapid and safe automated process
Apono allows you to create one of the following access flows.
Grants access to a resource based on a user request for a defined time period
This access flow type is best used for sensitive or highly regulated resources, such as access to production. It also suits just-in-time (JIT) or break-glass access cases.
Automatically grants and revokes access to a resource based on user context
This access flow type is best used for role-based access control (RBAC) and on-call shift baselines.
Learn about access flows for JIT access management and control
An access flow is an automated, dynamic permissions workflow that allows admins to define context-based permissions for resources, according to an approval policy and for a specified time.
In contrast to traditional static policies, access flows are dynamic, using groups, tags, exclusion settings, and native cloud hierarchies.
Permissions defined in an access flow are not automatically granted to the user.\
Users can request permissions through Slack, Teams, CLI, or the Apono Web Portal. Access is only granted upon approval as specified in the access flow.
Access flows consist of four components that determine how access is granted and managed within your system.
Resource and Integration Owners
Individual roles or groups responsible for approving and rejecting access to a resource or integration
Permissions
Level of access that requests can receive
Setting clear permissions helps maintain security by preventing excessive access and ensuring that users only receive the rights they need.
Permissions can range from read-only access to full administrative privileges, depending on the requester’s role and the resource.
Access Duration
Period during which access is open to requestors
Approval Type
Process through which access is granted
The approval type ensures that an efficient and secure access check is in place.
Apono continuously syncs with your integrations to get updated data about your environment. As resources are created, changed and deleted, Apono evolves with your organization.
Apono syncs all the following cloud resources:
Cloud hierarchies
Resources and cloud services
Paths
Permissions to each resource type
Apono leverages context from your cloud applications to help you build dynamic and flexible access flows.
To gain context, Apono syncs data from:
Organizational groups and managers in your identity provider (IdP)
Cloud resource tags from different cloud providers
Time zones, working hours, and on-call schedules from incident response tools
These attributes remain fully dynamic, as Apono continuously updates them from the original source.
You can use dynamic context in your access flow to define the following components:
Requesters (based on your IdP users or groups and on-call shifts)
Scope of resources (based on cloud tags)
Approvers (based on users, groups and managers from your IdP, and shift members from your incident response tool)
Your access flow specifies whether access requests should be approved automatically by Apono or manually by users in your organization.
Typically, access to sensitive resources should be approved manually by one or more of the following parties:
An organization admin
A member of an on-call shift
Another member of the requested group
When handling extremely sensitive resources, permissions, and data, you can require several approvers:
All specified users
The requester's manager
A minimum of one member of each group
A minimum of one member of each on-call shift
For more information, see .
For more information, see .
Apono provides both and workflows. Automatic access flows auto-approve requests based on predefined rules, while self-serve access flows require approval from a manager or administrator.
