P0 App Documentation
Sign up for FreeSandbox
  • What Is P0?
    • πŸŽ›οΈIAM Dashboard
    • πŸ”ŽAccess Inventory
    • πŸͺ‘IAM Posture
    • ⏱️Just-In-Time Access
    • ♻️Service-Account Key Rotation
  • Getting Started
    • ⬇️Quick Start
    • 🎁Share P0 With Your Team
  • INVENTORY
    • πŸ—ΊοΈAccess Inventory
    • πŸ”¬Result Details
    • ❔Query Search
      • πŸ“–Search Reference
  • Posture
    • βš–οΈPosture Overview
  • Monitor Results
  • πŸ€”Finding Details
  • ORCHESTRATION
    • ⏰Just-in-time access
      • πŸ–οΈRequesting Access
        • πŸ‘‰For Another Party
      • 🏁Approving Access
        • Pre-approving Access
      • πŸ”€Request Routing
        • Google Cloud Filtering
        • AWS Filtering
  • Environments
    • ☁️Creating an Environment
    • πŸ““Environment Terminology
    • βš™οΈSettings
  • Integrations
    • πŸ“žNotifier integrations
      • πŸ’¬Slack
      • πŸ‘¬Microsoft Teams
      • πŸ“£Custom Notifier
    • πŸ”‘Resource integrations
      • ☁️Google Cloud
        • Requesting Access
        • Permissions Reference
          • Cloud Storage
          • Compute Engine
      • πŸ“¦AWS
        • Requesting Access
      • ☸️Kubernetes
        • Requesting Access
        • Advanced Requests
      • πŸ”‹PostgreSQL
        • Requesting Access
      • ❄️Snowflake
      • πŸ–₯️SSH
      • GitHub
        • Requesting Access
      • πŸ› οΈCustom Resource
    • πŸ‘₯Directory integrations
      • Microsoft Entra ID
        • Requesting Access
      • Google Workspace
      • Integrate P0 with Okta
    • βœ”οΈApproval integrations
      • πŸ””PagerDuty
    • πŸ”ŒSIEM Integrations
      • Splunk HEC Setup
  • P0 Management
    • 🎩Role-Based Access Control
Powered by GitBook
On this page
  • Configuring approvals
  • Default approvals
  • Request routing
  • Request notifications
  • Approving (and denying) requests
  • Reviewing requests
  1. ORCHESTRATION
  2. Just-in-time access

Approving Access

This page describes how to review and approve just-in-time access requests

PreviousFor Another PartyNextPre-approving Access

Last updated 1 year ago

Here we'll walk you through the life-cycle of access request and review.

Configuring approvals

There are two ways to configure approvals with P0:

  • Default approvals routing

  • Request routing

Request routing is only available for Pro-tier P0 accounts.

Default approvals

To use the default approvals, you'll need to configure who can approve and revoke access requests. This is done on 's "Settings" page.

Configure who can approve access requests by entering approvers' emails in the "Approvers" input. Approvers must have accounts in Slack using the same email addresses.

Approvers' email addresses may be from outside your domain.

Two-party and one-party approvals

By default, a requestor can not approve their own access requests. If you want to allow requestors to approve their own requests, allow one-party approvals.

Auto approvals

Escalated approvals

In addition to normal approval flow, P0 allows requestor to escalate the request using PagerDuty and notify on-callers to approve pending request.

Request routing

The remainder of this guide assumes your organization is using default approval routing.

When an access request is made, P0 creates an approval message in your Slack integration's configured channel.

With default approvals, P0 will mention the @p0approvers Slack group, which contains all configured approvers.

If you use request routing with directory group approvers, P0 will instead DM each approver with a link to the approval message.

To Approve this request, first choose an access duration from the "Select expiry" dropdown, then click "Approve".

If you are not in the P0 approvers group, you will receive an error when attempting to approve or deny access.

To Deny this request, click "Deny".

Requesting further justification

If the requestor's justification for requesting access is incomplete or needs follow-up, reply to the request message in a thread. The request conversation thread is linked to the access request, and this discussion will be available in future access reviews.

You can review all requests made via P0, whether approved or denied, by visiting p0.app, and navigating to "Requests". You'll see a dashboard of all requests:

Clicking the Slack icon in the request description will take you to the approval-message conversation, where you can view any conversation around justification.

You can also get more details on the lifecycle of an individual grant by clicking "Details":

Finally, you can export all requests as a tab-separated values list (.tsv) by clicking "Export all requests".

In addition to approvals by humans, P0 also allows you to automatically approve requests if the requestor is currently on-call on an escalation policy. See for more details.

If you need more fine-grained control over approvals based on who is requesting access, and to what, use request routing. See the reference for more details.

Request notifications

Approving (and denying) requests

Reviewing requests

⏰
🏁
πŸ””
βœ…
πŸ€”
Approval Integrations
Request Routing
βš™οΈ
πŸ””
βœ…
πŸ€”
βš™οΈ
p0.app
Configuring approvals
Request notifications
Approving (and denying) access
Reviewing requests