Setting Up Permission-Based Approvals

Last updated: October 8, 2024

Background

This article will teach you how to configure permission-based approvals, one of the most powerful features of the Lumos AppStore.

This feature will take your cost savings and least-privilege setup to the next level!! 💰🔐💪

If you haven't set up an app in the AppStore yet, go here to learn how:📄 Adding Apps To Your AppStore

Why use permissions?

Adding an app to your AppStore gives people a fast + easy way to request access. You may have even made a few apps "self-service" so that people can choose the type of access (permission) they need.

Why fine-tune an app's permission workflows? Here are a couple of scenarios where it makes sense.

  • Cost Differences

    A Basic Zoom license is usually free, so if someone requests one, it should just be auto-approved. On the other hand, a premium Zoom license costs money, so you might want someone to approve that before it's granted.

  • Admin Access

    Someone needs admin access to AWS. That needs to go to a special team for approval, while all other AWS access requests go through a standard approval process.

Read on to learn how to set up approval workflows for specific app permissions.

Steps

1. Go to the AppStore setup page.

2. Search for your app, click the "Advanced Settings" button, then click the "Permissions" tab.

annie1.gif

3. To add a new permission, click "+Add a permission". To edit an existing one, click on the permission!

If permissions come from your IdP (i.e. Okta), there will be an IdP logo next to the name of the group. On the permission itself, you'll see an indicator of whether the app is currently hidden or visible to users in the AppStore, as well as the number of permission level overrides set on the permission itself. More on this in the next step!

annie2.gif

4. Edit the permission settings.

The settings are explained in more detail below.

  • Permission Label

    This is what people see when they request the permission in Lumos, you can change this to make it easier to read.

    If this permission is tied to a group in your IdP, changing the label will not change the name of the group in your IdP.

  • Approvers

    If you want there to be specific approver(s) for this permission, what you set here will override what's set at the app level.

  • Visible in AppStore

    If you want to hide a permission from requesters altogether, you can toggle this to the left. This is great if certain permission types should not be viewed at all. 

Next to some permission configurations, you'll see this symbol (linked):

Or this symbol (unlinked):

This indicates whether the permission is linked to the app level configurations.

If the permission is linked, it means that it is inheriting the app level permission. That means if you change the app level configuration, the permission level configuration will also change.

If the permission is unlinked, it means that the permission is overriding the app level permission. That means if you change the app level configuration, the permission level configuration will not change. This is also the number of overrides you see on the permission list in Step 3. 

If you want to unlink or link a permission, simply click on the button!

5. You're done! 😎

FAQ

If I set an approver for an app, then set a different one for a specific permission, what happens?

If that specific permission is requested, it will override what's set at the app level.

What happens if multiple permissions are requested with different workflows?

Each permission goes through its own dedicated workflow.

Example: If someone requests a permission that has a manager approval, and one that needs admin approval, two approval requests will be created -- one to each approver.

Does changing the Permission Label change the name of the group in my IdP?

Nope! It just makes it easier for people to understand in your AppStore -- Lumos still pushes to the user to the same group in your IdP if the request is approved.