Approval Workflows
JITSudo uses Cedar policies with an approval_mode field to determine how access requests are handled.
Approval Modes
Section titled “Approval Modes”| Mode | Behavior |
|---|---|
| auto | Request is automatically approved if the policy permits it — no human review needed |
| require | Request is permitted by policy but requires manual approval before a grant is created |
| break_glass | Emergency access — policy allows immediate provisioning with enhanced audit logging |
Automatic Approval
Section titled “Automatic Approval”Requests matching a policy with approval_mode: auto are approved immediately. Common use cases:
- Development account access for engineering team members
- Short-duration read-only access
- Well-defined, low-risk permission sets
Manual Approval
Section titled “Manual Approval”Requests matching a policy with approval_mode: require enter a pending state. Reviewers are notified through configured notification channels and can approve or deny via the Approvals page or API:
# Approvecurl -X POST https://jitsudo.example.com/v1/requests/<id>/approve \ -H "Authorization: Bearer <jwt>" \ -H "X-Tenant-ID: <tenant-uuid>"
# Denycurl -X POST https://jitsudo.example.com/v1/requests/<id>/deny \ -H "Authorization: Bearer <jwt>" \ -H "X-Tenant-ID: <tenant-uuid>"Approval Timeout
Section titled “Approval Timeout”Policies can specify an approval timeout. If no decision is made within the timeout period, the ApprovalTimeoutWorker automatically expires the request and sends a notification.
Request Messages
Section titled “Request Messages”Reviewers and requesters can exchange messages on a request for additional context:
curl -X POST https://jitsudo.example.com/v1/requests/<id>/messages \ -H "Authorization: Bearer <jwt>" \ -H "X-Tenant-ID: <tenant-uuid>" \ -H "Content-Type: application/json" \ -d '{"body": "Can you provide more context on the incident?"}'Policy Configuration
Section titled “Policy Configuration”See Cedar Policies for how to configure approval modes and priority-based evaluation.