# Access Monitoring Rule Resource Reference

Access monitoring rules allows cluster administrators to monitor Access Requests and apply notification routing and automatic review rules.

```
kind: access_monitoring_rule
version: v1
metadata:
  name: example_rule
spec:
  # subjects specifies the kinds of subjects to monitor.
  # Possible values: "access_request"
  subjects:
  - access_request

  # condition specifies the conditions that should be met to apply the access
  # monitoring rule. The condition accepts a predicate expression which must
  # evaluate to a boolean value.
  #
  # This condition would be satisfied if:
  # - `access` role is requested
  # - all requested resources have the label `env: dev`
  # - requesting user has the `team: dev` user trait.
  condition: |-
    contains_all(set("access"), access_request.spec.roles) &&
    access_request.spec.resource_labels_intersection["env"].contains("dev") &&
    contains_any(user.traits["team"], set("dev"))

  # Optional: desired_state specifies the desired reconciled state of the access
  # request after the rule is applied. This field must be set to "reviewed" to
  # enable automatic reviews.
  # Possible values: "reviewed".
  desired_state: reviewed

  # Optional: automatic_review configures the automatic review rules.
  automatic_review:
    # integration specifies the name of an external integration source used to
    # help determine if a requesting user satisfies the rule conditions.
    # Use "builtin" to specify no external integration.
    # Possible values: "builtin"
    integration: builtin

    # decision determines whether to automatically approve or deny the
    # access request.
    # Possible values: "APPROVED" or "DENIED"
    decision: APPROVED

  # Optional: notification configures notification routing rules.
  notification:
    # name specifies the external integration to which the notifications should
    # be routed.
    # Possible values: "email", "discord", "slack", "pagerduty", "jira",
    # "mattermost", "msteams", "opsgenie", "servicenow", "datadog"
    name: email

    # recipients specifies the list of recipients to be notified when the
    # access monitoring rule is applied.
    recipients:
    - example@goteleport.com

```

Accepted fields within the condition predicate expression:

| Field                                               | Description                                                         |
| --------------------------------------------------- | ------------------------------------------------------------------- |
| access\_request.spec.roles                          | The set of roles requested.                                         |
| access\_request.spec.suggested\_reviewers           | The set of reviewers specified in the request.                      |
| access\_request.spec.system\_annotations            | A map of system annotations on the request.                         |
| access\_request.spec.user                           | The requesting user.                                                |
| access\_request.spec.request\_reason                | The request reason.                                                 |
| access\_request.spec.creation\_time                 | The creation time of the request.                                   |
| access\_request.spec.expiry                         | The expiry time of the request.                                     |
| access\_request.spec.resource\_labels\_intersection | A map containing the intersection of all requested resource labels. |
| access\_request.spec.resource\_labels\_union        | A map containing the union of all requested resource labels.        |
| user.traits                                         | A map of traits of the requesting user.                             |

See [Predicate Language](https://goteleport.com/docs/reference/access-controls/predicate-language.md) for more details.