[quickthrower2]

Nice idea. Struggling with this problem too.

My thoughts is that once you have all IaC set up hopefully this becomes less of a problem since you do things through PRs not clickops, and we might be setting up the roles via pulimi (or terraform) anyway.

I guess the value here is in the exceptions, where you quickly want to give a human access to an area to dive in and solve a production issue?

[jon918]

Great point on doing things through PRs not clickops. As your practices mature, the need for approvals can shift from the care and feeding of your infrastructure to managing risk. Even with IaC in place, having controls around who can access customer data, internal admin panels, and other resources with a high blast radius is critical. We built Sym to serve as a flexible approvals layer that can adapt along with you as your stack evolves. There will always be new services and teams to incorporate, and we want to ensure you can always easily add in guardrails that give you sufficient control and visibility into what teams are up to without introducing unneeded bottlenecks.