ContextQMD
Back to Infisical

Approval Policies & Requests

docs/documentation/platform/pam/product-reference/access-policies.mdx

0.159.256.1 KB
Original Source

PAM approval workflows add a human review step before access is granted to privileged accounts, helping organizations enforce security controls and compliance requirements.

When to Use Approval Workflows

Approval workflows are recommended when:

  • Separation of duties is required: Your organization requires different people to request and approve access to privileged accounts.
  • Sensitive resources need oversight: Access to production databases, critical servers, or administrative accounts requires additional review.
  • Compliance mandates review: Regulatory frameworks or internal policies require documented approval before granting access.
  • Preventing unauthorized access: You want to ensure privileged access is only granted after proper validation of the request.

Approval Policies

An approval policy defines the workflow that must be completed before access is granted to specific resources and accounts. When an access request matches a policy's conditions, the request is placed in a pending state until the required approvers review and approve it.

Key features of approval policies include:

  • Condition-based matching: Define which resources and accounts the policy applies to using glob patterns (e.g. prod-*, {prod,staging}-*, *-admin).
  • Multi-step workflows: Configure sequential approval steps where each step must be completed before the next begins.
  • Flexible approvers: Assign individual users or groups as eligible approvers for each step.
  • Required approval count: Specify how many approvals are needed per step (e.g., require 2 out of 5 eligible approvers).
  • Access duration constraints: Set maximum access durations for requests matching this policy.

Guide to Creating an Approval Policy

To create an approval policy, navigate to your PAM Project > Approvals > Policies and click Create Policy.

<Steps> <Step title="Configuration"> Configure the basic policy settings: 
- **Policy Name**: A descriptive name for the policy such as `production-db-approval`.
- **Conditions**: Define which resources and accounts this policy applies to:
  - **Resource name**: Glob pattern for matching resource names (e.g. `prod-db`, `*-redis`).
  - **Account name**: Glob pattern for matching account names (e.g. `admin`, `*readonly`).
  - At least one of resource name or account name must be specified. If both are provided, they are ANDed together.
- **Access Duration**: Configure the maximum access duration allowed for requests matching this policy.

![pam approval policy configuration](/images/pam/product-reference/access-policies/approval-policy-configuration.png)
</Step> <Step title="Approval Sequence"> Configure the approval steps. Each step defines who can approve and how many approvals are required: 
- **Step Name**: An optional name for the step such as `Manager Review`.
- **Approvers**: Select individual users or groups who are eligible to approve this step.
- **Required Approvals**: The number of approvals needed to complete this step.

You can add multiple steps to create a sequential approval workflow. For example:
1. **Manager Review**: Requires 1 approval from the managers group
2. **Security Review**: Requires 2 approvals from the security team

Each step must be completed in order before access is granted.
</Step> <Step title="Review"> Review your policy configuration and click **Create** to save the policy. </Step> </Steps>

Approval Requests

When an access request matches a policy's conditions, an approval request is created. Approvers can then review and approve or reject the request.

Viewing Requests

Navigate to your PAM Project > Approvals > Requests to view all approval requests. You can filter requests by status:

  • Open Requests: Requests currently pending approval
  • Approved: Requests that have been approved and access granted
  • Rejected: Requests that were rejected by an approver
  • Cancelled: Requests cancelled by the requester
  • Expired: Requests that exceeded their maximum TTL

Approving a Request

<Steps> <Step title="Open the request"> Click on a pending request to view its details. </Step> <Step title="Review the access details"> Review the access request information including: - Requester name and email - Resource name and account name - Requested access duration - Justification (if provided) </Step> <Step title="Approve"> If you are an eligible approver for the current step, click **Approve** to approve the request. </Step> </Steps>

Once all required approvals for all steps are obtained, access is automatically granted.

Rejecting a Request

<Steps> <Step title="Open the request"> Click on a pending request to view its details. </Step> <Step title="Review the access details"> Review the access request information. </Step> <Step title="Reject"> If you are an eligible approver for the current step, click **Reject** to reject the request. Optionally add a comment explaining the rejection. </Step> </Steps>

When a request is rejected, the workflow ends and no access is granted.

FAQ

<AccordionGroup> <Accordion title="I approved a request but access wasn't granted"> If the approval policy has multiple steps, your approval may have completed only one step. Access is granted only after all approval steps are completed. Check the request details to see which step is currently pending and ensure all required approvers have approved. </Accordion> <Accordion title="I don't see the Approve button on a request"> The Approve button only appears if you are an eligible approver for the current step. Verify that: - You are listed as an approver (either directly or through a group) for the current approval step - The request is still in a pending state </Accordion> </AccordionGroup>