Access Layers
| Level | Description | Examples |
|---|---|---|
| Application | Top-level configuration. For certain applications (i.e. AWS), multiple instances of the same app can be configured separately. | E.g., Okta, Slack, Github, Linear |
| Resource | A group, team, or other logical division within an application. Note: many applications will have a single “App Access” resource if there are no other sub-application resources that are requestable. | E.g., Group, Channel, Repository, Team |
| Role | The set of permissions a user is requesting within an application or resource. | E.g., Member, Owner, Admin, Super Admin |
Configuring Access
Key Components of Access Configuration
Navigating to Access Management in app.serval.com
- From the left sidebar, select a team.
- Click the Access tab.
- View all applications with access configured for the selected team.
- Access Policies: Define rules for users’ access requests (e.g, duration, business justification, approval process)
- Provisioning Methods: Define how access is technically granted to the role (e.g., manual task, linked SCIM group, custom workflow, direct provisioning via API).
- Access Profiles: Define which groups of individuals can request access to a role, resource or application.
While in some cases workflows can also manage access, all role-based provisioning should be configured in Serval’s dedicated Access Management tool. Serval enforces security and permissioning controls at this layer, with built-in logging / reporting, and automatic handling for just-in-time provisioning and deprovisioning.
Configure Role
1. Configuring Access Policies
Creating a New Access Policy
- Select Create policy.
- In the Create access policy window:
- Policy Name: enter a clear, descriptive name (e.g., General Access).
- Policy Description: describe what the policy covers.
- Max Access Length: choose Indefinite or set a time limit.
- Require business justification: toggle Yes if users must provide a reason.
- Require confirmation for requests made on behalf of others: toggle Yes if needed.
- Require approval from one of: add approvers who must approve requests under this policy.
- Click Create policy to save and reuse across roles.
Access policies define how users can request access for any application, resource, or role. Policies control:
- Maximum access length: whether access is indefinite or time-bound.
- Business justification: whether users must provide a reason for their request.
- Request confirmation: whether requests made on behalf of others must be confirmed.
- Approval flow: which approvers must authorize the request.
Create Access Policy
2. Configuring Provisioning Methods
Admin can configure one of the following methods for provisioning access when access is requested.Manual provisioning
Access is granted through a task assigned to the application owner (via ticket or messaging app such as Slack).
Manual provisioning
Access is granted through a task assigned to the application owner (via ticket or messaging app such as Slack).
Example: Jeff requests editor access to a Linear group. If manual provisioning is used, the assignee adds Jeff as an editor in Linear. If the policy allows 12-hour temporary access, Serval assigns a ticket to grant access and a second ticket 12 hours later to remove it.
Linked Group
Access is granted by adding the user to a group in a connected Identity Provider (e.g., Okta, Google, Rippling, Entra) that is mapped to the role through SCIM.
Linked Group
Access is granted by adding the user to a group in a connected Identity Provider (e.g., Okta, Google, Rippling, Entra) that is mapped to the role through SCIM.
Example: Access to Linear can be provisioned by adding the user to the appropriate Okta group. When the access time limit expires, the user is automatically removed
Custom Workflow
Access is granted and removed through a specific custom process, like an API request or adding a user to a file that then grants access to that user list.
Custom Workflow
Access is granted and removed through a specific custom process, like an API request or adding a user to a file that then grants access to that user list.
- Simple Example: Access to a GitHub repository is managed by adding or removing the user from a pull request list that controls provisioning for that resource.
- Multi-Step Example: Open a GitHub PR to update Terraform for group membership, but first create a Linear task to purchase a license; once marked complete, the workflow auto-merges the PR and validates access.
Direct Provisioning
In cases where API provisioning is common, Serval has pre-built direct provisioning via API.
Direct Provisioning
In cases where API provisioning is common, Serval has pre-built direct provisioning via API.
Example: Automatically import all Ramp roles into Serval
Serval’s help desk agent automatically understands what applications have been configured for just-in-time access. Once you have set up this automation, the helpdesk will understand how to provision JIT access without additional workflows or guidance (unless for a custom case.)
3. Setting Access Profiles
Configure access profiles with name, description, associated Serval group and associated IdP role to limit which users can request access to this role, providing an additional layer of security.
Build Access Profile
Scenarios: Configuring Access at the Application, Resource or Role Level
Application Example
Scenario: Configure access to Ramp for company-wide access.
- Name: Ramp - Standard
- Description: Standard user access across the company.
- Policy: Indefinite timeline, no approver needed.
- Provisioning Method: Through Ramp user Group in Okta
Resource Example
Scencario: Configure access to Ramp for company-wide access.
- Name: Figma - Brand Assets File
- Description: View access to the brand assets design file
- Policy: Indefinite access, no approval needed
- Provisioning Method: Provisioned via Figma Editor Group in Okta.
Role Example
Scenario: Configure a GitHub Administrator role for elevated repository and organization permissions.
- Name: Ramp - Standard
- Description: Standard user access across the company.
- Policy: Indefinite timeline, no approver needed.
- Provisioning Method: Through Ramp user Group in Okta
Users Requesting Access
Users can request access either:- Request access in natural language through Serval in the same way they submit any other ticket (e.g., via Slack, Teams or any help desk portal)
Request access via the help desk
- Navigate to Access > Select an app from the list > Select access type and click the “Request” button in the top right corner > Provide additional details and click “Request access”
Request access in app.serval.com