# P0 allow modal, CLI, and UI

## Overview

`p0 allow` creates **standing pre-approvals** so specific principals can receive access automatically when they request it. Team members can configure these allows from three entry points:

* **Slack allow modal** for guided form-based setup
* **`p0 allow` CLI** for scripted or bulk automation
* **P0 App UI** for point-and-click management across environments

Every allow captures the same core fields: the target resource, the principal (`--to`), how long the auto-approval window remains active with `--start` and `--end`.

> You must be an approver for the target resource according to your [access policies](/access-management/just-in-time-access/request-routing.md) before you can create or edit an allow.

## Slack Allow Modal

Slack provides an interactive modal when you launch `/p0 allow` without full arguments. Use it when you prefer a visual form but want to stay in Slack.

### Launching the modal

* Type `/p0 allow` in any direct message or channel where the P0 bot is installed.
* (Optional) Include a partial command like `/p0 allow aws` to pre-populate the provider and resource fields.
* Press **Enter**. Slack opens the **Allow access** modal.

### Completing the form

The modal walks you through:

1. **Principal** – Email or directory identifier for the user, group, or service account.
2. **Provider & target** – Choose the cloud/platform and specify the resource (e.g., IAM role, project, permission set).
3. **Auto-approval window** – Select start/end or a duration (maps to `--start` and `--end`). The modal defaults to the current time plus one week.
4. **Per-request duration** – How long each automatically approved request will last (`--requested-duration`).
5. **Reason (optional)** – Appears in audit logs and request history when requestors receive access.

Submit the modal to create the allow. P0 confirms in DM and posts to the approval channel if configured. The modal’s interactive blocks provide inline validation (including date/time pickers), so you see errors such as missing `--to` or malformed durations before submission.

## CLI `p0 allow`

Use the CLI when you need automation, version-controlled workflows, or provider-specific flags. The command accepts the same data as the modal but allows you to script or template it.

```bash
p0 allow <provider> <subcommand> [resource args…] \
  --to <principal> \
  --length <duration> \
  [--start <timestamp>] \
  [--reason <text>] \
  [--wait]
```

Key tips:

* Run `p0 allow <provider> --help` for resource-specific arguments (e.g., `--project`, `--account`).
* Durations accept natural language strings such as `"4 hours"`, `"10 days"`, or `"1 month"`.
* Combine with `p0 ls` to discover requestable resources before issuing the allow.
* Use `--wait` when you want the CLI to block until backend provisioning completes.

See `p0-cli/p0-commands-and-usage/p0-allow.md` for full examples covering AWS, GCP, SSH, and other providers, plus troubleshooting guidance in `p0-cli/troubleshooting/p0-allow.md`.

## Operational Best Practices

* **Align access policies first.** Ensure the allow creator appears as an approver for the resource; otherwise the modal and UI block creation.
* **Default to shorter windows.** Use the smallest `--length` that satisfies the project needs and rely on renewals when necessary.
* **Capture justification.** Require reasons via access policy options (`requireReason: true`) so audit logs show why the standing access exists.
* **Review regularly.** Schedule periodic reviews of the **Pre Approvals** tab in Access Management or use the CLI to script an inventory (`p0 allow list --json`).

## Related Resources

* [Pre-approving Access](/access-management/just-in-time-access/approving-access/pre-approving-access.md)
* [p0 allow CLI reference](/p0-cli/p0-commands-and-usage/p0-allow.md)
* [Access Policies](/access-management/just-in-time-access/request-routing.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.p0.dev/access-management/just-in-time-access/approving-access/p0-allow-workflows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.