Last modified on November 27, 2023
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
StrongDM provides the tools that you need to secure access to your resources, manage user roles and permissions to facilitate access, generate detailed audit histories, and more.
Although your organization may assign standing access to users via roles (groups of users) based on their team or position, there may also be situations where you wish to allow users to request access to particular resources temporarily.
Workflows enable you to automate how access requests are submitted, reviewed, and approved (or denied). With access workflows, you can create subsets of resources and allow users with particular roles to request access to them. When requests are made, the pre-selected approvers for that workflow are notified and may then accept or deny the request.
For more information about how the access requests are submitted and reviewed, see the Request Access page.
The Workflows page in the Admin UI allows you to manage your current workflows. The page lists all the workflows that you have the ability to administer. Your organization may have up to 50 workflows. In the list, for each workflow you can see the following:
- The name and description of the workflow
- The users that have been selected as approvers for access requests using the workflow
- The status of the workflow (whether it is currently enabled or disabled)
Add and Edit Workflows
You can click on the Actions button to open the actions menu on an existing workflow in the list. This menu contains the options to view details about that workflow (and edit them) or to delete the workflow. The Add workflow button at the top of the page begins setup of a new workflow.
In either case, you are presented with several items to configure for your workflow.
When adding or editing a workflow, the Summary section is where you define the name of the workflow as well as a short description, which should clearly depict what the workflow does. This helps administrators to find the correct workflow when navigating the workflows page.
The Attach Roles section is where you choose the roles that are eligible to see the attached resources in their catalog and request access to them. If a user browsing the catalog is not a member of any of the roles assigned here, they are not able to make requests to access resources using this workflow. The Managed By column indicates whether the role is managed directly in StrongDM or via a third party provisioning integration such as Okta.
Workflow approval criteria
The Approval Criteria section provides a selection between manual and automatic approval. With the manual review process, you choose users to function as approvers for access requests that follow this workflow. With automatic approvals, requests for resources that are processed via this workflow are automatically approved. Automatic approvals provide the audit trail benefits of temporary access to particular resources without the need for manual intervention.
In the Approvers for this workflow section, you may select potential approvers for this workflow from the list of users in your organization. You may also select roles.
Approvers gain the ability to approve requests for this workflow and receive notifications of new requests. When you add a role to the approvers list, all users who are currently members of the role (or who are later added to the role) are able to approve requests that are made via this workflow. If an approver for a workflow is not an administrator of your StrongDM organization, they see requests from that workflow in the Request Access > Requests tab and can approve and deny them, but they are unable to edit the actual workflow.
If the approver(s) for a workflow are themselves deactivated in the StrongDM organization and no other approvers have been set for the workflow (users or roles), that workflow becomes disabled and pending requests using that workflow are canceled. If the user is later reactivated, the workflow must be reenabled manually, and requests must be recreated.
In the Assign resources to this workflow section, you select resources to assign to this workflow. These assigned resources are available for users who match the indicated roles to request from the catalog via this workflow. When a request is created for one of the assigned resources, it triggers this workflow and sends a notification of the access request to approvers.
Resources can be assigned to the workflow in two ways, with either static rules or dynamic rules.
Static rules (assign specific resources)
To add specific individual resources to a workflow, click Add Static Rule (or, if a workflow already has resources statically assigned, click Edit in the “X resources assigned” section). Then, choose resources to add to this workflow. The list to choose from includes all resources in the organization. The search bar and filters are available for use when searching longer lists.
Dynamic rules (assign resources dynamically)
For a more dynamic and scalable approach to assigning resources to a workflow, you can click Add Dynamic Rule (or click on Edit on an existing dynamic rule). Here, similarly to the process used to define the access given to roles with dynamic access rules, you may dynamically assign any resources that meet a set of criteria to the workflow. Dynamic rules can be created around the resource type or the tags on the resources.
For example, you can choose to add all resources of the “MySQL” type to this workflow. Dynamic rules apply to resources that are added in the future as well. In this example, if more MySQL resources are added later, they become available in the catalog; and if any are removed, they cease to be available.
You can also use tags for dynamic rules. For instance, you might add to a workflow all resources tagged with the
env=dev tag. You can also combine the two methods, and allow access to, for example, all resources of the MySQL type and with the
In addition to managing individual workflows, you may apply certain settings to all workflows in your organization. These settings include the maximum access grant duration for approved requests, and whether or not email notifications are sent to requesters and approvers for new or completed access requests.
To make changes to workflow settings, go to Settings > Workflows in the Admin UI.
The maximum access grant duration for approved access requests is 30 days by default. To change the maximum duration, enter the desired number of days, hours, and/or minutes (in increments of 15 minutes, such as 00, 15, 30, and 45) and click Update. After the maximum duration is set, users can request access to resources for a custom amount of time, as long as it doesn’t exceed the maximum duration.
When email notifications are enabled, requesters and approvers receive email notifications for new or completed access requests. Notifications are enabled by default.
To disable notifications, select No under Enable Email Notifications? and click Update.
Enable and Disable Workflows
When editing or adding a workflow, there is a toggle that allows you to enable or disable the current workflow.
An enabled workflow presents resources to eligible users in the access catalog. A disabled workflow is available to edit but does not present any resource options to users in the catalog.
Note the following about enabling and disabling workflows:
- Workflows that are being created, have no approvers, or are otherwise not viable for production use are disabled and cannot be enabled until they are created, approvers are added, or problems are otherwise resolved.
- Workflows that have just been created default to the disabled state and must be enabled in order to begin use.
- Pending access requests via a workflow that becomes disabled are immediately canceled.
Enabling and disabling a single workflow, or multiple workflows at one time, can be done from the Workflows screen. Select one or more workflows using the checkboxes next to each workflow in the list. Once you make your selection, you are presented with the option to enable or disable the selected workflow(s).
As an approver, when viewing a request in the Admin UI (Request Access > Requests) you can see the same status screen that the requester can, when you choose a request and click Actions > View request details, but you can also expand the panel by choosing Show more. This allows you to see more details related to the request (such as role information about the user) and respond to the request, as in the example shown.
The Request Details modal shows the requester’s name, the name of the resource they intend to access, the requested time frame, and their own explanation of why they need access. You can approve or deny the request as well as provide a note to the requester. You can click Show more to see details about the user and the resource in question to provide context around who the user is and what the user is requesting to access.
Once a request has been approved or denied, an email is sent to the requester letting them know that the request has been finalized (if email notifications are enabled).
At any time, an approver can look at any previously granted request and revoke the access early where necessary or appropriate.