Activation Commands
Activation commands manage just-in-time access to privileged roles. You'll use these commands to request temporary role assignments, monitor approval status, and manage active sessions.
grantflow activations request
Request just-in-time activation of a privileged role. This creates an activation request that either grants access immediately or routes to your approval workflow, depending on the role's configuration.
Usage
grantflow activations request <role-id> --reason <justification> [--duration <minutes>] [--account <account-id>]
Parameters
<role-id>(required) - The ID of the role to activate--reason(required) - Business justification for the access request--duration- Requested duration in minutes (default: 60)--account- Specific account ID to associate with the activation (optional)
Example
$ grantflow activations request role-prod-dba \
--duration 120 \
--reason "Emergency database performance investigation - incident #IR-2024-001"
✓ Activation requested successfully
ID: act-20241024-abc123
Status: pending
Duration: 120 minutes
Providing Justification
The reason you provide becomes part of the permanent audit trail and helps approvers understand why you need access. Include enough context that an approver can make an informed decision without asking follow-up questions.
Good justifications reference specific work items, incident tickets, or business needs:
- "Database migration for release v2.5 - JIRA-1234"
- "Emergency response to production outage - INC0012345"
- "Security audit of user permissions - AUDIT-2024-Q4"
Vague or empty justifications slow down the approval process and may lead to denial.
Duration Limits
Each role has a maximum activation duration configured by administrators. If you request more time than allowed, the CLI returns an error showing the maximum permitted duration. You can check a role's limit with grantflow roles get <role-id>.
Request only the time you actually need. Shorter activations are easier to approve and align with least-privilege principles.
Approval Workflows
Some roles activate immediately when you request them, while others require manager or administrator approval. The command output indicates the current status.
If approval is required, you'll see Status: pending. Use grantflow activations list to monitor the request's progress. Approvers receive notifications and can review your request using the web interface or the CLI approval commands.
Account Association
For roles that grant access to specific managed accounts, you can optionally specify which account you need. This helps administrators track credential usage and ensures you receive access to the correct system.
grantflow activations list
View all activation requests, including pending, approved, and denied requests. This command shows the current state of your access requests and active role assignments.
Usage
grantflow activations list [--output table|json|yaml]
Parameters
--output- Output format (default: table)
Example
$ grantflow activations list
ID USER_ID REQUESTED_BY ROLE_ID STATUS PROVISIONING_STATUS CREATED_AT
act-001 user-123 john.doe role-dba pending - 2024-10-24T11:00:00Z
act-002 user-456 jane.smith role-admin approved provisioned 2024-10-24T10:30:00Z
act-003 user-789 bob.johnson role-azure denied - 2024-10-24T09:15:00Z
Understanding Request Status
The status column indicates where your request sits in the approval workflow:
A pending request awaits approval from a designated approver. The request remains in this state until someone reviews it. If you submitted the request in error, you can cancel it using grantflow activations cancel.
An approved request has passed through the approval workflow and moves into the provisioning phase. The provisioning status column shows whether the system has actually granted the privileges yet. This process usually completes within seconds, but complex roles touching multiple systems may take longer.
A denied request means an approver rejected your access request. The web interface shows the approver's reason for denial, which can help you understand what information was missing or why the request didn't align with policy.
Active Activations
Approved requests with a provisioned status represent your currently active role assignments. These remain active until their duration expires or you deactivate them manually through the web interface.
The CLI currently supports viewing and requesting activations but not manual deactivation. Use the web interface to end an active session early.
grantflow activations cancel
Cancel a pending activation request before it's reviewed. Once a request is approved or denied, you cannot cancel it.
Usage
grantflow activations cancel <activation-id>
Parameters
<activation-id>(required) - The ID of the activation request to cancel
Example
$ grantflow activations cancel act-20241024-abc123
✓ Activation cancelled successfully
When to Cancel
You might cancel a request if you submitted it by mistake, if you no longer need the access, or if you want to resubmit with different parameters.
Canceling removes the request from the approval queue. If you need access again later, submit a new request using grantflow activations request.
Canceling Active Activations
If your activation is already approved and provisioned, canceling it will revoke your access immediately. The system deprovisions the role assignment, which may take a few seconds depending on the target system.
grantflow activations approve
Approve a pending activation request. This command is only available to users assigned as approvers in the relevant approval policy.
Usage
grantflow activations approve <activation-id> [--comment <approval-comment>]
Parameters
<activation-id>(required) - The ID of the activation request to approve--comment- Optional comment explaining the approval decision
Example
$ grantflow activations approve act-20241024-abc123 \
--comment "Approved for emergency incident response per on-call procedures"
✓ Activation approved successfully
Approver Responsibilities
As an approver, you're responsible for verifying that access requests align with business needs and security policies. Review the requester's justification carefully and confirm they have a legitimate need for the privileged access.
The comment you provide becomes part of the audit trail and helps document the approval decision. This is especially important for high-risk roles or unusual requests.
Only approve requests you're confident are appropriate. When in doubt, contact the requester for clarification before approving.
Approval Workflow
Once you approve a request, the system begins provisioning the role assignment. The requester receives a notification and can begin using the privileges within seconds.
If multiple approvers are required by policy, your approval may not immediately grant access. The request advances to the next approval stage or waits for other approvers in the same stage.
grantflow activations deny
Deny a pending activation request. Like the approve command, this is only available to designated approvers.
Usage
grantflow activations deny <activation-id> --reason <denial-reason>
Parameters
<activation-id>(required) - The ID of the activation request to deny--reason(required) - Explanation for the denial
Example
$ grantflow activations deny act-20241024-abc123 \
--reason "Insufficient business justification provided. Please resubmit with incident ticket number."
✓ Activation denied successfully
Providing Feedback
Always provide a clear reason when denying requests. This helps the requester understand what was missing and how to improve future requests. Common denial reasons include:
- Insufficient justification or missing ticket references
- Request duration exceeds what's necessary for the stated purpose
- Alternative lower-privilege options are available
- Request doesn't align with change control windows
- Requester hasn't completed required training
The requester can see your reason in the web interface and can submit a new request addressing your feedback.
Viewing Request Details
For more detailed information about an activation request beyond what the list command shows, use the web interface. The Activity Log page displays the full request history, approval chain, provisioning status, and any associated comments.
You can access it by navigating to Activity Log in the GrantFlow web portal.
Related Topics
- Role Commands - Discover available roles
- Account Commands - Check out managed accounts
- Requests & Approvals - Web interface for activation workflows
- Audit Commands - View activation history