Integration for Slack

Last modified on February 6, 2024

StrongDM’s integration for Slack, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Slack. This integration for Slack gives users the ability to easily request access to the resources they need without opening another application. It gives approvers another way to not only be notified, but also to easily respond to requests that require manual approval.

Administrator Configuration

Before the integration can be used, you need to connect StrongDM to your Slack workspace and grant permissions. To configure the app for Slack for your organization, go to the Admin UI > Settings > Integrations and under Slack, click Connect. The next screen begins guiding you through permissions that must be granted and then through the process to set up the integration with your Slack workspace.

Configuration of Integration for Slack
Configuration of Integration for Slack

Once the Slack setup process is complete, the StrongDM app for Slack becomes available for use by users of your Slack workspace.

From the Integrations page you can also disconnect an integration at any time. In the list of currently configured integrations, you can click the Disconnect button to remove that integration from your StrongDM organization.

StrongDM Commands for Slack

CommandDescription
/sdmPresent options
/sdm authorizePresent an Authorize button to the user
/sdm access catalogDisplay resource catalog
/sdm deauthorizeDeauthorize the user
/sdm access pendingDisplay list of requests with the status “Pending”
/sdm access requestsDisplay list of requests
/sdm access toDirectly request access in the format /sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]
/sdm access usageDisplay usage help (also displays for any unrecognized command)

Set up the App

In order to use StrongDM to request access and respond to requests, each user must authorize the integration using their StrongDM user account. To authorize the integration, follow these steps.

  1. In any Slack channel, type /sdm authorize to begin. The StrongDM app for Slack responds indicating that the integration needs authorization:
    Authorization Required
    Authorization Required

If you have not yet authorized the connection between your StrongDM user and your Slack user account, entering any /sdm commands will result in the same response.

  1. Before doing anything else, make sure you are signed in, from your web browser, to the organization you are authorizing.
  2. Click the Authorize button. You will be guided through a process to ensure that your StrongDM user is logged in and connected to your Slack user account in your current workspace.

When done, the StrongDM app for Slack indicates a successful authorization and gives options for how to use the integration.

In this message, and any time in the future that the /sdm command is run, the response contains the following buttons:

  • Catalog displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request.
  • Requests generates a list of requests that you may view and respond to.
  • Usage lets you view usage instructions at any time and does the same as the command /sdm help.
  • My Requests shows a curated list of the requests that you have submitted. This button is also shown at the top of the Home tab.
  • Approval Requests shows a curated list of requests that are awaiting approval by you or another eligible approver. This button is also shown at the top of the Home tab.

Resource Catalog

Click the Catalog button (or run the command /sdm access catalog) to search the resource catalog. The Catalog Search lets you search through all the resources that you may request to access, including those that you already have access to via your roles. You can narrow search results or click through the fields to view all available resources.

Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.

Each item in the response includes the following properties, where relevant:

PropertyDescription
NameName of the resource
IDID of the resource
AvailabilityWhether the resource is available to request, or already granted by a role
TypeResource type
CredentialsWhether the resource uses leased credentials or secret stores
TagsResource tag keys and values

Filter the catalog

When using /sdm access catalog you may also append filters. For example:

/sdm access catalog type:mysql

or

/sdm access catalog tag:env=dev

For more information about the access catalog, view the Catalog section in the Access Requests page.

Make a request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Slack form and make the request. The form asks for the starting date/time and ending date/time for your request, and the reason for your request. The reason must be filled out.

App for Slack Access Request Form
App for Slack Access Request Form

If your request is to a resource that is part of a workflow with automatic approvals enabled, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the approvers are notified of your request.

You may also make a request directly with a command from anywhere in Slack, using the following syntax (optional arguments in brackets):

/sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]

For example:

/sdm access to rs-3454897454b8ed24 for 3h because testing reasons

  • The value of <YOUR_RESOURCE> can either be your resource’s exact name, or its resource ID. The ID can be found in the catalog (/sdm access catalog) in the entry for the desired resource.
  • The value of <YOUR_DURATION> is the number of days (d), hours (h), or minutes (m). For example: 15d or 3h or 10m. This argument is optional as an argument in the command, but all requests require a duration.
  • The value of <YOUR_REASON> should be a sufficient reason that an approver (or later auditor) will be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

View and Respond to Requests

Click the Requests button (or run the command /sdm access requests) to display a list of current requests. This list includes requests that you have made yourself, as well as requests that you are eligible to approve.

Each request listed contains the following properties:

PropertyDescription
RequestIDUnique ID of the request; click to open the request in the Admin UI
SubmittedDate and time the request was submitted
StartDate and time the access is to begin
WorkflowName of the workflow via which the request is being made
RequesterName of the requester
StatusPending, Approved, Denied, Revoked
DurationLength of time for which access was requested
ReasonReason stated for the request

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Slack notification (in addition to the email that you get from the system) that allows you to immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, it opens a window that provides details about the request and the option to continue and revoke the request early.

Filter the requests

When using /sdm access requests you may also append filters. For example:

/sdm access requests type:mysql

or

/sdm access requests tag:env=dev

For more information about access requests, view the Requests section in the Access Requests page.

Receive Notifications About Requests

You can set up public channel Slack notifications about access requests by inviting the StrongDM integration (bot) for Slack to a channel. When it’s in the channel, it will pin itself to the channel. Any requests made will announce themselves in the channel, including approve and deny buttons (which only produce results if you are an approver).


Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.