Access Workflows

Last modified on May 25, 2023

This feature is currently in closed-access beta. Functionality and documentation may change. Contact your Customer Success Manager for more information.

StrongDM provides the tools that you need to secure access to your resources, manage user roles and permissions to facilitate access, generate detailed audit histories, and more.

Although your organization may assign standing access to users via roles (groups of users) based on their team or position, there may also be situations where you wish to allow users to request access to particular resources temporarily.

Access workflows enable you to automate how access requests are submitted, reviewed, and approved (or denied). With access workflows, you can create subsets of resources and allow users with particular roles to request access to them. When requests are made, the pre-selected approvers for that workflow are notified and may then accept or deny the request.

For more information about how the access requests are submitted and reviewed, see the Access Requests page.

Workflow Management Center in the Admin UI

The Workflow Management page in the Admin UI allows you to manage your current workflows. The page lists all the workflows that you have the ability to administer. Your organization may have up to 25 workflows.

You can click on the Actions button to open the actions menu on an existing workflow in the list. This menu contains the options to view details about that workflow (and edit them) or to delete the workflow. The Add workflow button at the top of the page begins setup of a new workflow.

When adding or editing a workflow, the Summary section is where you define the name of the workflow as well as a short description, which should clearly depict what the workflow does. This helps administrators to find the correct workflow when navigating the workflows page.

A situation can occur in which your organization has multiple workflows that have some of the same resources assigned to them, and a user has the correct role(s) to request access to those resources via either workflow. In this case, the workflow that is ranked higher in the list takes precedence, and is the one through which the request is submitted.

The Attach Roles section is where you choose the roles that are eligible to see the attached resources in their catalog and request access to them. If a user browsing the catalog is not a member of any of the roles assigned here, they are not able to make requests to access resources using this workflow. The Managed By column indicates whether the role is managed directly in StrongDM or via a third party provisioning integration such as Okta.

The Approval Criteria section provides a selection between manual and automatic approval. With the manual review process, you will chose users to function as approvers for access requests that follow this workflow. With automatic approvals, requests for resources that are processed via this workflow will be automatically approved. Automatic approvals provide the audit trail benefits of temporary access to particular resources without the need for manual intervention.

In the Approvers for this workflow section, you select potential approvers for this workflow from the list of users in your organization. Approvers chosen here will gain the ability to approve requests for this workflow and receive notifications of new requests. If an approver for a workflow is not an administrator of your StrongDM organization, they will see requests for the workflow and be able to approve and deny them, but they will be unable to edit the actual workflow.

In the Assign resources to this workflow section, you select resources to assign to this workflow. These assigned resources are available for users who match the indicated roles to request from the catalog via this workflow. When a request is created for one of the assigned resources, it triggers this workflow and sends a notification of the access request to approvers.