Temporary Access to High Compliance Environments with Sym and Aptible

With Sym and Aptible, teams can grant temporary access to sensitive environments while continuing to meet their organization’s stringent compliance requirements. Teams often choose to deploy and manage applications with Aptible when they need to be HIPAA compliant or certified for HITRUST or SOC2. In the same vein, Sym’s access and approval platform provides critical controls that help teams meet these compliance standards. With Sym and Aptible together, teams can roll out Slack or API-based workflows that grant ephemeral Aptible access – to the right people, at the right time.

Sym’s chat based approval workflows help us protect sensitive Aptible resources while still letting teams get their jobs done.

Sean Santry, VP Engineering, CarePort Health

Adding Just-In-Time Access to Aptible Environments

Aptible ships with powerful access control primitives out of the box. Sym builds on these primitives to provide just-in-time access to Aptible resources for teams where always-on access doesn’t make sense. In Aptible, users can belong to zero or more Aptible Roles. Each Aptible Role has access to zero or more Aptible Environments. And finally, within each Environment, a Role can be granted one of two permission levels: “Manage” and “Read”. Teams often want to allow users access to an Environment’s Manage or Read permissions some of the time. That is where Sym comes in!

Making Temporary Aptible Access Requests With Sym

Before Jon requests access, only Adam is a member of the Prod role:

Jon creates a request to access the Prod environment to fix Ticket 123:

Jon submits his request, which can get routed to a configurable channel or fast-tracked if appropriate:

Jon’s request is updated in the shared channel once it is approved:

Once approved, Jon now is a member of the Prod Role:

Set up an Aptible Sym Flow with Terraform

Sym’s platform lets you declare Flow resources using Terraform and provision these using standard infrastructure-as-code pipelines. To make Aptible really easy to set up, we’ve introduced a few new resource types to the Sym platform: the aptible Integration, the aptible Strategy, and the aptible_role Access Target.

Using these three resource types, you can declare a Flow that will add or remove users from Aptible Roles:

resource "sym_integration" "aptible" {
  type = "aptible"
  name = "main-aptible-integration"

  # Your Aptible Organization ID
  external_id = "94a49e57-d046-4d9d-9dbf-f7711e337368"

  settings = {
    username_secret = sym_secret.aptible_bot_username.id
    password_secret = sym_secret.aptible_bot_password.id
  }
}

resource "sym_strategy" "aptible" {
  type = "aptible"
  name = "main-aptible-strategy"
  integration_id = sym_integration.aptible.id
  targets = [sym_target.admin_prod.id]
}

resource "sym_target" "admin" {
  type = "aptible_role"
  name  = "main-aptible-admin-role"
  label = "Aptible Admin"

  settings = {
    role_id = "24463EF7-1D6E-402E-A365-69CB6DB80C6E"
  }
}

Note: check our main docs for a full walkthrough of setting up Aptible, including how to set up secrets to enable Sym to connect to your Aptible account.

Mapping User Accounts

Sym will automatically map users from Slack that have the same email address identifying them in Aptible. If your users aren’t mapped that way, you can use the symflow CLI to manage the user mappings.

Try out Sym Flows for Aptible!

Getting the initial version of an end to end Sym integration set up usually takes under an hour. Our examples repo has a complete configuration of an Aptible Flow and our docs site has a companion walkthrough if you want to get deeper.