Sign up for FreeKnowledge Base

P0 Allow Modal, CLI, and UI

Configure P0 allow pre-approvals from Slack, the CLI, or the P0 web app.

Overview

p0 allow creates standing pre-approvals so specific principals can receive access automatically when they request it. Team members can configure these allows from three entry points:

  • Slack allow modal for guided form-based setup

  • p0 allow CLI for scripted or bulk automation

  • P0 App UI for point-and-click management across environments

Every allow captures the same core fields: the target resource, the principal (--to), how long the auto-approval window remains active with --start and --end.

You must be an approver for the target resource according to your routing rules before you can create or edit an allow.

Slack Allow Modal

Slack provides an interactive modal when you launch /p0 allow without full arguments. Use it when you prefer a visual form but want to stay in Slack.

Launching the modal

  • Type /p0 allow in any direct message or channel where the P0 bot is installed.

  • (Optional) Include a partial command like /p0 allow aws to pre-populate the provider and resource fields.

  • Press Enter. Slack opens the Allow access modal.

Completing the form

The modal walks you through:

  1. Principal – Email or directory identifier for the user, group, or service account.

  2. Provider & target – Choose the cloud/platform and specify the resource (e.g., IAM role, project, permission set).

  3. Auto-approval window – Select start/end or a duration (maps to --start and --end). The modal defaults to the current time plus one week.

  4. Per-request duration – How long each automatically approved request will last (--requested-duration).

  5. Reason (optional) – Appears in audit logs and request history when requestors receive access.

Submit the modal to create the allow. P0 confirms in DM and posts to the approval channel if configured. The modal’s interactive blocks provide inline validation (including date/time pickers), so you see errors such as missing --to or malformed durations before submission.

CLI p0 allow

Use the CLI when you need automation, version-controlled workflows, or provider-specific flags. The command accepts the same data as the modal but allows you to script or template it.

p0 allow <provider> <subcommand> [resource args…] \
  --to <principal> \
  --length <duration> \
  [--start <timestamp>] \
  [--reason <text>] \
  [--wait]

Key tips:

  • Run p0 allow <provider> --help for resource-specific arguments (e.g., --project, --account).

  • Durations accept natural language strings such as "4 hours", "10 days", or "1 month".

  • Combine with p0 ls to discover requestable resources before issuing the allow.

  • Use --wait when you want the CLI to block until backend provisioning completes.

See p0-cli/p0-commands-and-usage/p0-allow.md for full examples covering AWS, GCP, SSH, and other providers, plus troubleshooting guidance in p0-cli/troubleshooting/p0-allow.md.

Operational Best Practices

  • Align routing rules first. Ensure the allow creator is listed as an approver for the resource; otherwise the modal and UI blocks creation.

  • Default to shorter windows. Use the smallest --length that satisfies the project needs and rely on renewals when necessary.

  • Capture justification. Require reasons via routing rule options (requireReason: true) so audit logs show why the standing access exists.

  • Review regularly. Schedule periodic reviews of the Standing access page or use the CLI to script an inventory (p0 allow list --json).

Related Resources

PreviousPre-approving AccessNextRequest Routing

Last updated