Require requestors to specify their desired access duration to ensure least privilege
Access Duration refers to the amount of time access will be open to requestors.
By enabling this feature, admins require requestors to specify the access time they will need out of the maximum allowed.
This enhances security and accountability by requiring users to specify the length of access needed for each request.
When a user submits a request, the approver sees the requested duration along with other request details. Upon approval, the user is granted access for the specified period.
By default, access duration is disabled. We recommend enabling this setting to keep open access down to the minimum amount of time needed for a specific task.
Follow this step to enable access duration:
On the page, click the Require duration for access request toggle to on. The toggle will turn green.
Once the setting has been enabled, users must specify their access duration, up to the set by the admin. If the requested duration exceeds the limit, an error message will appear. Entering zero or an invalid value prompts the user to reenter a valid duration.
Once enabled, users requesting access will be asked to enter their desired access duration when making requests.
When users create a new request, they will see the Access duration (in hours) field.
Users may pick any duration, including fractions, up to the maximum allowed per resource and permission.
If users attempt to request more than the allowed duration, they will receive a warning to pick a shorter duration.
When users create a new request, they will see the Duration (in Hours) field.
Users may pick any duration, including fractions, up to the maximum allowed per resource and permission.
If users attempt to request more than the allowed duration, they will receive a warning to pick a shorter duration.
Users may pick any duration, including fractions, up to the maximum allowed per resource and permission.
If users attempt to request more than the allowed duration, they will receive a warning to pick a shorter duration.
Automatic access flows automatically grant and revoke access to a resource based on user context. This access flow type is best used for role-based access control (RBAC) and on-call shift baselines.
To create an automatic access flow, you must define the permitted users and available resources.
Follow these steps to define the permitted grantees:
On the page, click Create Access Flow. The Create Access Flow page appears.
If is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.
If no space is selected, the access flow will be created at the global account level.
Click Automatic. The Automatic fields appear below.
Enter an alphanumeric, user-friendly Access Flow Name.
Click Select attribute to select an IdP attribute, such as User or Group.
(Optional) Click is
Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access.
(Optional) Add another user.
Under the last listed requestor, click +. A new row appears.
Repeat steps 4-7.
You can define access to specific resources in an Apono integration, bundle, or access scope.
To ensure you do not exceed the AWS inline policy character limit, read when adding AWS resources.
Follow these steps to define access to specific resources:
Under They will have access to, click Select target > Integrations.
Select an integration. The
Follow this step to add an access flow label:
In the Access flow labels, enter a value and press Enter OR select an existing label.
After defining the and , follow these steps to review and save an automatic access flow:
Click Review and Create. The Automatic Access Flow Summary appears.
Click Create and Grant.
Starts with
Select the conditional logic for the multiple requestors.
AND
(Default) Allows the user to request access if they meet all the attributes of the user group
OR
Allows the user to request access if they meet any of the attributes of the user group
Select the resource type.
Click Done. The panel closes.
Click permissions. The Permissions menu appears.
Select one or more permissions to grant the requester.
(Optional) Refine the available resources:
Click in the populated to field. A list of resources appears.
Select one or several resources.
(Optional) Add another target:
Click + at the end of the row. A new target row appears.
Repeat steps 1-7 or add a bundle or access scope.
To ensure you do not exceed the AWS inline policy character limit, read AWS Limitations when adding bundles with AWS resources.
Follow these steps to define access to a specific bundle:
Under They will have access to, click Select target > Bundles.
Select a bundle.
(Optional) To add another bundle, click +. A new target row appears.
Repeat steps 1-2 or add an or .
Follow these steps to define access to a specific access scope:
Under They will have access to, click Select target > Access Scope. The Select access scope menu appears.
You may enter keywords into the search bar to locate an access scope.
(Optional) Click (eye icon) to preview the contents of the access scope in a popup window.
Select an access scope.
You can also click + Create New Access Scope if none of the existing access scopes meet your needs. The Inventory page appears. You can and the new access scope.
(Optional) To add another access scope, click +. A new target row appears.
Repeat steps 1-3 or add an or .
Cloud resources
One or more resources in a cloud platform that has been integrated with Apono If you have not already, integrate Apono with a cloud platform to control access to its resources:
Apono identities
One or more identity sources in the Apono system There are various ways to add identities to Apono:
Create automated access policies for users to request access self-serve
Self serve access flows grant access to a resource based on a user request for a defined time period.
This access flow type is best used for sensitive or highly regulated resources, such as access to production. It also suits just-in-time (JIT) or break-glass access cases.
To create a self-serve access flow, you must define the permitted requestors, available resources, and approvers.
Follow these steps to define the permitted requestors:
On the page, click Create Access Flow. The Create Access Flow page appears.
If is enabled, select a space from the space selector at the top of the page to create a space-specific access flow.
If no space is selected, the access flow will be created at the global account level.
Click Self Serve. The Self Serve fields appear below.
Enter an alphanumeric, user-friendly Access Flow Name.
Click When. A settings window appears to set the access period.
Set the access period.
Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to request access.
(Optional) Add another attribute.
Under the last listed attribute, click +. A new row appears.
Repeat steps 6-8.
What is it good for?
Onboarding new hires – Set up access before day one so they’re ready to go from the start.
Incident response – Get help from teammates fast, without involving Apono admins.
Click Themselves to define for whom the requestor can request resource access. An options menu appears.
Select one or several options.
(Others, Both) Define the other users:
Click Select attribute to select an attribute, such as User or Group.
(Optional) Click is to select conditional logic from the menu options.
Click Select value
You can define access to specific resources in an Apono integration, bundle, or access scope.
Follow these steps to define access to specific resources:
Under Request access to, click Select target > Integrations.
Select an integration. The Select resource type panel appears.
Select the resource type.
Follow these steps to define the duration of access:
Click in the populated Grant for field. The granting period settings appear.
Click Automatic to select the approval type.
Approval of provides in-depth options to customize the approval flow. This approval type is ideal for production environments and highly sensitive resources.
Follow these steps to set up Approval of:
Click the populated with field. The approval type menu appears.
Click Approval of. The Approval of fields appear.
Click Select attribute to select an IdP attribute, such as User, Group, or Owner.
(Optional) Click is to select conditional logic from the menu options.
Click Select value to select one or multiple users or groups from the menu options. This selection determines who is permitted to approve access.
(Optional) Add another approver condition.
Immediately beneath the last list approver, click +. A new row appears.
Repeat steps 3-5 to add another approver to the group.
Apono allows administrators to apply various settings to enhance the security of access flows.
Follow these steps to configure settings:
In the Access flow labels, enter a value and press Enter OR select an existing label.
Click the toggle to enable any of the following settings. When enabled, the toggle turns green.
Always
(Default) Applies to the requester conditions at all times Follow this step to set this period:
Select Always.
Only on
Applies to the requester conditions during a specific time frame Follow these steps to set a specific period:
In the settings window, select Only on.
Select one or more days of the week.
In the From field, select a start time from the dropdown menu.
Click Select attribute to select an attribute, such as User or Group.
(Optional) Click is to select conditional logic from the menu options.
Starts with
Select the conditional logic for the multiple attributes.
AND
(Default) Allows the user to request access if they meet all the selected attributes
OR
Allows the user to request access if they meet any of the selected attributes
Contractors – Request narrow, temporary access for external contractors.
Team enablement – Empower managers to request access for their team members.
(Optional) Add another attribute.
Under the last listed attribute, click +. A new row appears.
Repeat steps 12a-c.
Select the conditional logic for the multiple attributes.
Click permissions. The Permissions menu appears.
Select one or more permissions to grant the requester.
(Optional) Refine the available resources:
Click in the populated to field. A list of resources appears.
Select one or several resources.
(Optional) Add another target:
Click + at the end of the row. A new target row appears.
Repeat steps 1-7 or add a bundle or access scope.
To ensure you do not exceed the AWS inline policy character limit, read AWS Limitations when adding bundles with AWS resources.
Follow these steps to define access to a specific bundle:
Under Request access to, click Select target > Bundles.
(Optional) Click (eye icon). A Preview Bundle pop-up window appears displaying the contents of the bundle.
Select a bundle.
You can also click + Create new bundle if none of the existing bundles meet your needs. The Create Bundle page appears. You can a new bundle.
(Optional) To add another bundle, click +. A new target row appears.
Repeat steps 1-2 or add an or .
Follow these steps to define access to a specific access scope:
Under Request access to, click Select target > Access Scope. The Select access scope menu appears.
You may enter keywords into the search bar to locate an access scope.
(Optional) Click (eye icon). A Preview Access Scope pop-up window appears displaying the contents of the access scope.
Select an access scope.
You can also click + Create New Access Scope if none of the existing access scopes meet your needs. The Inventory page appears. You can and the new access scope.
(Optional) To add another access scope, click +. A new target row appears.
Repeat steps 1-3 or add an or .
Automatic
Automatically grants the requester access for the specified period Automatic approval is the default setting.
Approval of
Grants the requester access for the specified period upon the approval of certain parties For more information, learn how to .
Click Create Access Flow.
Starts with
Select the conditional logic for the multiple approvers.
AND
(Default) If you have multiple attributes in the approval group, AND requires the approver to meet all the attributes.
OR
If you have multiple attributes in the approval group, OR requires the approver to meet only one of the attributes.
(Optional) Add another approver group.
Beneath the last approver group, click +. A new approval group appears.
Repeat steps 3-5 to add another approver to the group.
Select the conditional logic for the multiple groups of approvers.
Cloud resources
One or more resources in a cloud platform that has been integrated with Apono
If you have not already, integrate Apono with a cloud platform to control access to its resources:
Apono identities
One or more identity sources in the Apono system There are various ways to add identities to Apono:
Themselves
(Default) Allows the requestor to only request resource access for himself or herself
Direct Reports
Allows the requestor, identified as a manager in the organization’s identity provider (IdP), to request resource access solely for individuals formally assigned as direct reports in the IdP
Others (specify)
Allows the requestor to only request resource access on behalf of others (grantees)
Custom
(Default) Grants the requester access for a custom period The default granting period is set to 1 hour. Follow these steps to grant access for a custom period:
Select the first radio button.
From the right dropdown menu, select a time unit.
In the first field, enter a numerical value for the time unit.
In the second field, select a time unit from the dropdown menu.
Indefinite
Grants the requester access indefinitely Follow this step to set this period:
Click Indefinite.
Require MFA
Requires grantees to complete multi-factor authentication to complete a request We strongly recommend enabling MFA for access requests to sensitive resources.
The grantee will need to enable multi-factor authentication.
Require justification
Requires grantees to enter a justification for their request
Require Approve Reason
Requires approvers to provide a reason (limited to 124 characters) when approving or rejecting a request.
If disabled, providing a reason is optional.
Requester cannot approve their own request
Prevents users from approving their own access requests
If the user is a member of an approval group, they will not receive a notification to approve the request.
Select a timezone from the dropdown menu.
AND
(Default) Allows the user to request access if they meet all the selected attributes
OR
Allows the user to request access if they meet any of the selected attributes
ANY OF
If you have multiple approval groups, ANY OF only requires one approver belonging to any group to approve access.
ALL OF
If you have multiple approval groups, ALL OF requires one approver per group to approve access.
