This repo provides full end to end examples for implementing various Sym Flows.
Full Sym docs can be found here:
Each folder in this repo represents a full end to end Sym Flow.
| Example | Description |
|---|---|
| Approval-Only Flow | A foundational Sym Flow for audited approvals |
| Aptible Access Strategy | A Sym Flow that escalates the requester to an Aptible role |
| AWS IAM Group Escalation | A Sym Flow that escalates a user to an AWS IAM Group |
| Invoke AWS Lambda from impl.py | A Sym Flow that invokes an AWS Lambda from a hook in impl.py |
| Custom Escalation with AWS Lambda | A Sym Flow that invokes an AWS Lambda for custom access management |
| AWS IAM Identity Center (AWS SSO) Escalation | A Sym Flow that assigns a user to an AWS Permission Set in a given AWS account |
| Datadog Log Destination | A Sym Environment configured to send logs to Datadog via AWS Kinesis Firehose |
| GitHub Access Strategy | A Sym Flow that escalates the requester to a GitHub Repository |
| GitHub Access Strategy with Dynamic Targets | A GitHub Access Strategy that uses Dynamic Targets to populate the repository name |
| Google Group Access Strategy | A Sym Flow that escalates the requester to a Google Group |
| KnowBe4 SDK Integration | Use the KnowBe4 SDK to auto-approve requests if the requester completed specific training |
| Okta Group Escalation | A Sym Flow that escalates the requester to an Okta Group |
| Okta SDK Integration | Use the Okta SDK to create custom auth hooks and to get user profile data |
| Auto-approve PagerDuty On-call Engineer | A Sym Flow that auto-approves requests if the requester is on-call in PagerDuty |
| AWS Kinesis Firehose to S3 Bucket Log Destination | A Sym Environment configured to send logs to an S3 bucket via AWS Kinesis Firehose |
| Segment Log Destination | A Sym Environment configured to send logs to Segment |
| Tailscale SSH Access | A Sym Flow that escalates the requester to a Tailscale Group with SSH access |
Advanced examples go beyond explaining the basics of Sym resources. Here you'll get deeper into setting up the target systems Sym is integrating with.
| Advanced Example | Description |
|---|---|
| Approve a CircleCI Job from Sym | A Sym Flow that is triggered from CircleCI by the Sym Orb and then resumes the paused CircleCI workflow after approval |
| JIT access to multiple AWS Organizations | Grant access to multiple tenant AWS Organizations from a centralized host AWS organization |
| JIT access to SSH to EC2 | A Sym Flow that grants SSH access to EC2 instances via AWS IAM Identity Center and AWS Session Manager |
| Custom Integration | A Sym Flow that uses a Custom Integration to wire in services that aren't directly supported by the SDK |
| Least Privilege S3 with K9 Security | Use a least-privilege bucket policy from K9 Security along with a Sym Flow to manage access to S3 |
| Multiple Environments | Use Sym Environments and Terraform modules to easily deploy a separate test Sym Flow |
| MySQL Temp User Strategy | A Sym Flow that invokes an AWS Lambda to create temporary users to access to an AWS-hosted MySQL instance |
| Postgres Role Strategy | A Sym Flow that invokes an AWS Lambda to temporarily grant users additional roles in an AWS-hosted PostgreSQL instance |
| Postgres Temp User Strategy | A Sym Flow that invokes an AWS Lambda to create temporary users to access an AWS-hosted PostgreSQL instance |