Slack Integration
Last modified on September 21, 2023
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please reach out to your Customer Success Manager or to Support for more details.
StrongDM’s Slack integration, when paired with the Access Workflows feature, allows you to browse the resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Slack. This integration gives users the ability to easily request access to the resources they need without opening another application. It gives approvers another way to not only be notified, but also to easily respond to requests that require manual approval.
Administrator Configuration
Before the integration can be used, you need to connect StrongDM to your Slack workspace and grant permissions. To configure the Slack integration for your organization, go to the Admin UI > Settings > Integrations and under Slack, click Connect. The next screen begins walking through permissions that must be granted, and it guides you through the process to set up the integration with your Slack workspace.
Once the Slack setup process is complete, the StrongDM app becomes available for use by users of your Slack workspace.
From the Integrations page you can also disconnect an integration at any time. In the list of currently configured integrations, you can click the Disconnect button to remove that integration from your StrongDM organization.
StrongDM Slack Commands Reference
| Command | Description |
|---|---|
/sdm | Present options |
/sdm authorize | Present an Authorize button to the user |
/sdm access catalog | Display resource catalog |
/sdm deauthorize | Deauthorize the user |
/sdm access pending | Display list of requests with the status “Pending” |
/sdm access requests | Display list of requests |
/sdm access to | Directly request access in the format /sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>] |
/sdm access usage | Display usage help (also displays for any unrecognized command) |
Set up the App
In order to get started using StrongDM to request access and respond to requests, each user must authorize the integration using their StrongDM user account. In any Slack channel, you may type /sdm authorize to begin. The StrongDM app responds indicating that the integration needs authorization:
/sdm commands will result in the same response.Clicking the Authorize button takes you through a process to ensure that your StrongDM user is logged in and connected to your Slack user account in your current workspace.
Afterward, the StrongDM app in Slack indicates a successful authorization and gives options for how to use the integration.
In this message, and any time in the future that the /sdm command is run, the response contains three different buttons:
- Catalog displays a resource catalog containing all resources that are available for you to request.
- Requests generates a list of requests that you may view and respond to.
- Usage lets you view usage instructions at any time and does the same as the command
/sdm help.
Resource Catalog
Click the Catalog button (or run the command /sdm access catalog) to display the resource catalog. This is a list of all resources that you could request access to (including those that you already have access to via your roles). Resources that are available to request access to have a Request Access button next to them.
Each item in the response includes the following properties, where relevant:
| Property | Description |
|---|---|
| Name | Name of the resource |
| ID | ID of the resource |
| Availability | Whether the resource is available to request, or already granted by a role |
| Type | Resource type |
| Credentials | Whether the resource uses leased credentials or secret stores |
| Tags | Resource tag keys and values |
Filter the catalog
When using /sdm access catalog you may also append filters. For example:
/sdm access catalog type:mysql
or
/sdm access catalog tag:env=dev
For more information about the access catalog, view the Catalog section in the Access Requests page.
Make a request
Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Slack form and make the request. The form asks for the starting date/time and ending date/time for your request, and the reason for your request. The reason must be filled out.
If your request is to a resource that is part of a workflow with automatic approvals enabled, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the approvers are notified of your request.
You may also make a request directly with a command from anywhere in Slack, using the following syntax (optional arguments in brackets):
/sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]
For example:
/sdm access to rs-3454897454b8ed24 for 3h because testing reasons
- The value of
<YOUR_RESOURCE>can either be your resource’s exact name, or its resource ID. The ID can be found in the catalog (/sdm access catalog) in the entry for the desired resource. - The value of
<YOUR_DURATION>is the number of hours (h) or a number of minutes (m). For example:3hor10m). This argument is optional as an argument in the command, but all requests require a duration. - The value of
<YOUR_REASON>should be a sufficient reason that an approver (or later auditor) will be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.
/sdm access to command is used but the optional duration and reason arguments are not provided, the Slack modal form for access requests displays, pre-populated with the information you did provide about your request, and the request can be completed using the form. This provides a useful response to commands that are accidentally missing arguments as well as offering a shortcut for opening the request form for repeat requests where the resource name is known.View and Respond to Requests
Click the Requests button (or run the command /sdm access requests) to display a list of current requests. This list includes requests that you have made yourself, as well as requests that you are eligible to approve.
Each request listed contains the following properties:
| Property | Description |
|---|---|
| RequestID | Unique ID of the request; click to open the request in the Admin UI |
| Submitted | Date and time the request was submitted |
| Start | Date and time the access is to begin |
| Workflow | Name of the workflow via which the request is being made |
| Requester | Name of the requester |
| Status | Pending, Approved, Denied, Revoked |
| Duration | Length of time for which access was requested |
| Reason | Reason stated for the request |
If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Slack notification (in addition to the email that you get from the system) that allows you immediately click to approve or deny the request without opening the list.
If the Revoke button appears next to any of the previously approved requests, it opens a window that provides details about the request and the option to continue and revoke the request early.
Filter the requests
When using /sdm access requests you may also append filters. For example:
/sdm access requests type:mysql
or
/sdm access requests tag:env=dev
For more information about access requests, view the Requests section in the Access Requests page.