Show HN: Sym, define just-in-time access workflows in code (symops.com)
My cofounder (jon918) and I started Sym three years ago because we were frustrated with how hard it was to manage access to cloud infrastructure. We wanted to build a tool for JIT access that was actually designed for developers. We were wary of tools that tried to accommodate both devs and IT but ended up with usability compromises for both.
First, we figured no one wants another web app to log into so we let administrators define access workflows in Terraform and let developers request and gain access via Slack. That seemed to pay off: being code-based was a big plus for our early customers since it let them manage the logic in version control and test in CI/CD.
Second, we knew that updating permissions/roles/access was a major source of toil and risk in the world of cloud infrastructure. Have you ever tried to avoid annoying, persistent access requests by setting policies that are a bit more permissive than you’d like? We felt that fully automated just-in-time access + approvals could really help here. But we also knew that a simple approval tool could end up leading to request fatigue - kind of defeating the purpose. So we built an SDK to let you define checks in code (e.g. pagerduty.on_call, okta.is_user_in_group, github.get_repo_collaborators) in order to dynamically route requests or fast-track access when appropriate. This seems to be paying off: users are creating Slack-based approvals in front of different types of risky actions like production access, sensitive queries and triggering Lambdas.
We’d love your feedback on our approach so far. Does this make sense to you? Is this a tool you'd use? What would you want to see out of it?
To learn more, check out the video that Nick (nmeans (Sym VPEng)) made [1]. You can also check out our docs [2] or set up your own flow [3].
thanks!
-adam
11 comments
[ 2.8 ms ] story [ 37.5 ms ] threadReally feels like security can actually be "everyone's job" when you're able to make good access management decisions from within your existing tools and their supporting context.
My thoughts is that once you have all IaC set up hopefully this becomes less of a problem since you do things through PRs not clickops, and we might be setting up the roles via pulimi (or terraform) anyway.
I guess the value here is in the exceptions, where you quickly want to give a human access to an area to dive in and solve a production issue?
On the one hand, I want to do them as quickly as possible, because I know how frustrating the lack of access is. On the other hand, our current flow for reporting change history / review / onboarding / offboarding for compliance with e.g. SOC2 is time-consuming and prone to oversight.
I see a lot of potential here, because I was thinking of launching an access management project myself. Most access management systems are focused around SSO, and this - due to the SSO tax - is not for every application in a small organization. Open-source can allow the community to create integrations to manage access for less popular products without this tax.
I notice that the project is used to manage JIT access. I wonder what would be operational issues with this tool if this access was given for weeks / months instead of hours?
I see your solution as pretty similar to Granted Approvals which are also open-source. What motivated you to start something of your own? I think Netflix open-sourced one solution for AWS too.
From another hand, GitHub Entitlements as the democratization of access management via IaaC, it is also an interesting direction. Various projects independently implement similar ideas it looks.
I like depth integration with Slack. I've been looking at AccessOwl for some time, which is well integrated with Slack too.
> I was thinking of launching an access management project myself. Most access management systems are focused around SSO, and this - due to the SSO tax - is not for every application in a small organization.
Great point. SSO integrations also don’t necessarily provide the level of control you need to grant people appropriate permissions. Like you can add/remove people from the application but not give them appropriate access within it. Would love to learn how you’re thinking about the problem, send us a note if you want to talk more!
> I wonder what would be operational issues with this tool if this access was given for weeks / months instead of hours?
You can configure access duration flexibly with Sym. That being said, part of our philosophy is to make it easy for teams to transition to shorter access durations because the friction to re-grant access is reduced.
> I see your solution as pretty similar to Granted Approvals which are also open-source. What motivated you to start something of your own? I think Netflix open-sourced one solution for AWS too.
There are some great tools in the space for sure. Our motivation is to build a flexible engine for access and approvals that you can layer in to any modern platform stack.