Jump to:
Overview
Access requests are at the heart of the Axiom platform. They are submitted using the Axiom web-based user console, or by using Slack. Requests are submitted by those who need the access (or want the access to be granted to someone else). They are approved (or denied) either through automatic workflows, or by human approvers, and expire automatically based on their requested duration. Who can make or approve requests is controlled through Axiom scopes.
Slack
This guide covers in detail how to make access requests using the Axiom web-based user console. You can also submit and approve requests using Slack. While many concepts and actions overlap between this guide and how requests work in Slack, there are some differences - most notably that Slack does not yet support multi-request bundles (each request submitted through Slack is a bundle of one). See the Slack documentation here.
Request bundles
All requests are submitted as part of a request bundle; a bundle consists of one or more access requests submitted at the same time. Requests in a bundle share the same justification and duration, but maintain their individual lifecycle (approve, deny, expire, etc.) Bundles are great for requesting all the access you need to perform a specific task.
Your first request
From the Home page, or the Requests list page of the Axiom user console, press on the New request button on the top right
From the select template dialog that opens up, choose one of the built-in template, corresponding to the system to which you want to gain access (we will discuss custom templates later in this guide)
Once you select a template you are redirected to the New request bundle page of the Axiom user console.
Every request is made up of:
System
The system to which access is desired (e.g. AWS, Okta, MySQL, etc). This is limited by the systems that have been integrated into Axiom, and your Axiom Scopes.
βTarget
The part of the System for which access is requested. For example: for AWS this would be an account, or an account-resource combination; for an IDP this would be an account; for a database this would be a database/ schema/ table, etc. The Targets that will be presented to you are constrained by your Axiom Scope.
βPrincipal
The identity of who is to be granted access. The list of possible Principals to choose from is fetched based on your users in the selected System, and can contain individuals, groups, or systems. In other platforms what we call Principal, is sometimes called grantee, or addressee.Permission
What will the Principal be allowed to do on the Target. For example: for AWS, you will be choose from a list of permission sets; for databases you will get an abstracted list consisting of Read only, Admin, Read and Write, etc. The Permissions that will be presented to you are constrained by your Axiom Scope.AWS and GCP only:
After selecting the permission, you can press on the "View" link to see the permissions' full JSON.AWS only:
For requests where the System is AWS, you can custom craft your permissions, with all the power of AWS IAM. See Crafting for details
All fields in a request are required, and there is a chained dependency between them: resetting the system resets all other fields; resetting Target resets Principal and Permissions, and resetting Principal resets Permission.
Adding another access request to a bundle
To add another request to the bundle, press on the "Add another request" button (below the last access request in the bundle)
You cannot add another request to the bundle unless all fields of all other requests in the bundle are filled out.
Duration and Justification
Duration and justification are filled out at the bundle level.
If your access requests don't share the same duration and justification, you should submit them in separate bundles (even if each bundle ends up having only one request).
New requests from custom templates
Custom templates are available to you if you're Axiom admin has configured them, and if you have the required Axiom Scopes to use them. When available, they are presented in the Select template dialog (that is displayed after you press the New request button on the Home page or the Requests list page).
Custom templates are represented by a card that includes a name and description as entered by the template creator. The card also shows the logos for the systems of the access requests that will be created from the template, and the requested duration
Cloning an existing request
The Clone command is available anywhere you can see an existing request: the Home page, the Request details page, and the Request list page.
When you clone a request, you are directed to the new request page with all fields already filled out. You can then change anything you like, and/ or add more requests to the bundle before submitting it as a new request bundle.
Note that currently you can only clone a single request, which create a new bundle with one request in it. We are working on the ability to clone entire bundles.
Renewing an expired request
Renewing a previous request (one that has expired), is similar to cloning in that it creates a new request. However, instead of being directed to New request page, you are just shown a dialog where you can specify the Duration and Justification for the new request.
Note that currently you can only renew a single request, which create a new bundle with one request in it. We are working on the ability to renew entire bundles.
The Renew command is available anywhere you can see an existing request: the Home page, the Request details page, and the Request list page.
Viewing requests
Requests can be viewed by going to the Requests list page, and then pressing on any row
The Request list page currently supports seeing only requests and not the bundles in which they were created. We are working on a brand new page which will show both bundles and requests, and will allow bulk actions.
The Request details page currently only shows a single request, and not the entire bundle the request was created with. We will soon release a bundle details page that shows all requests in a bundle together.
Request lifecycle
Every request in the bundle maintains its own lifecycle, and can be approved/ denied/ revoked individually. Requests have no status before they are submitted.
- Requests start life with Pending status. Pending requests can be edited.
- Pending request can be canceled by the user that created them, but only before they were approved/ denied.
- Requests can be approved or denied by an Approver, or an automated Axiom Workflow. Approvers are defined using Axiom Scopes. Users can see who may Approve requests in the Approvers tab of the Request details page
- Requests expire automatically based on the requested duration.
- Approvers can revoke a request after approving it.
Tracking request status
Requests' status is displayed in the Request list page and the Request Details page. You are also updated about any status change via email, and if configured, via Slack.