# Key Concepts

## Grant Kits

Grant Kits are what you configure in code to control and automatically right-size permissions for resources. A Grant Kit has 3 components:

1. [Workflow](https://docs.abbey.io/reference/grant-kits/grant-workflows) to configure *how* someone should get access.
2. [Policies](https://docs.abbey.io/reference/grant-kits/policies) to configure *if* someone should get access.
3. [Output](https://docs.abbey.io/reference/grant-kits/outputs) to configure how and where Grants should materialize.

## Access Requests & Approvals

Access Requests are automated processes for someone to be granted access to a [Resource](#resources). An Access Request typically involves:

1. A policy check, typically against a list of security and compliance policies.
2. A list of steps, with each step having a list of reviewers required to approve or deny the request.
3. A Terraform-native code change, backed by your Version Control System and Pull Requests.

## Access Grants

Grants are the result of an approved access request without any policy violations.

## Resources

Resources are what people access. A Resource can be coarse- or fine-grained to any granularity.

Some examples are:

1. Role-Based Access Control (RBAC) such as Okta Groups, Google Groups, AWS IAM Profiles, or GitHub Teams.
2. Direct Access to a database cluster, a database, a table, a Trino query, or a streaming or batch job.
3. Direct Access to an an API cluster, instance, or a bastion.
4. Access to a Tailscale VPN.
5. Federated Access to any of the above through RBAC.

## Linking Identities

Resources can require identity information from an external application. For example, if you're controlling a resource through Github, you may need data associated with Github, say your Github Username, to control access to resources. Abbey lets you link application data from commonly-used applications such as Github so you can use them in creating Grant Kits.