| Hello HN, My cofounder (jon918) and I started Sym three years ago because we were frustrated with how hard it was to manage access to cloud infrastructure. We wanted to build a tool for JIT access that was actually designed for developers. We were wary of tools that tried to accommodate both devs and IT but ended up with usability compromises for both. First, we figured no one wants another web app to log into so we let administrators define access workflows in Terraform and let developers request and gain access via Slack. That seemed to pay off: being code-based was a big plus for our early customers since it let them manage the logic in version control and test in CI/CD. Second, we knew that updating permissions/roles/access was a major source of toil and risk in the world of cloud infrastructure. Have you ever tried to avoid annoying, persistent access requests by setting policies that are a bit more permissive than you’d like? We felt that fully automated just-in-time access + approvals could really help here. But we also knew that a simple approval tool could end up leading to request fatigue - kind of defeating the purpose. So we built an SDK to let you define checks in code (e.g. pagerduty.on_call, okta.is_user_in_group, github.get_repo_collaborators) in order to dynamically route requests or fast-track access when appropriate. This seems to be paying off: users are creating Slack-based approvals in front of different types of risky actions like production access, sensitive queries and triggering Lambdas. We’d love your feedback on our approach so far. Does this make sense to you? Is this a tool you'd use? What would you want to see out of it? To learn more, check out the video that Nick (nmeans (Sym VPEng)) made [1]. You can also check out our docs [2] or set up your own flow [3]. thanks! -adam [1] https://vimeo.com/815222490/c717c18c42 [2] https://docs.symops.com [3] https://symops.com/signup |
On the one hand, I want to do them as quickly as possible, because I know how frustrating the lack of access is. On the other hand, our current flow for reporting change history / review / onboarding / offboarding for compliance with e.g. SOC2 is time-consuming and prone to oversight.
I see a lot of potential here, because I was thinking of launching an access management project myself. Most access management systems are focused around SSO, and this - due to the SSO tax - is not for every application in a small organization. Open-source can allow the community to create integrations to manage access for less popular products without this tax.
I notice that the project is used to manage JIT access. I wonder what would be operational issues with this tool if this access was given for weeks / months instead of hours?
I see your solution as pretty similar to Granted Approvals which are also open-source. What motivated you to start something of your own? I think Netflix open-sourced one solution for AWS too.
From another hand, GitHub Entitlements as the democratization of access management via IaaC, it is also an interesting direction. Various projects independently implement similar ideas it looks.
I like depth integration with Slack. I've been looking at AccessOwl for some time, which is well integrated with Slack too.