Key Concepts

Grant Kits

Grant Kits are what you configure in code to control and automatically right-size permissions for resources. A Grant Kit has 3 components:

  1. Workflow to configure how someone should get access.

  2. Policies to configure if someone should get access.

  3. Output to configure how and where Grants should materialize.

Access Requests & Approvals

Access Requests are automated processes for someone to be granted access to a Resource. An Access Request typically involves:

  1. A policy check, typically against a list of security and compliance policies.

  2. A list of steps, with each step having a list of reviewers required to approve or deny the request.

  3. A Terraform-native code change, backed by your Version Control System and Pull Requests.

Access Grants

Grants are the result of an approved access request without any policy violations.


Resources are what people access. A Resource can be coarse- or fine-grained to any granularity.

Some examples are:

  1. Role-Based Access Control (RBAC) such as Okta Groups, Google Groups, AWS IAM Profiles, or GitHub Teams.

  2. Direct Access to a database cluster, a database, a table, a Trino query, or a streaming or batch job.

  3. Direct Access to an an API cluster, instance, or a bastion.

  4. Access to a Tailscale VPN.

  5. Federated Access to any of the above through RBAC.

Linking Identities

Resources can require identity information from an external application. For example, if you're controlling a resource through Github, you may need data associated with Github, say your Github Username, to control access to resources. Abbey lets you link application data from commonly-used applications such as Github so you can use them in creating Grant Kits.

Last updated