Integration for Slack

Last modified on May 11, 2024

StrongDM’s integration for Slack, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Slack. This integration for Slack gives users the ability to easily request access to the resources they need without opening another application. It gives approvers another way to not only be notified, but also to easily respond to requests that require manual approval.

Administrator Configuration

Before the integration can be used, you need to connect StrongDM to your Slack workspace and grant permissions. To configure the app for Slack for your organization, go to the Admin UI > Settings > Integrations and under Slack, click Connect. The next screen begins guiding you through permissions that must be granted and then through the process to set up the integration with your Slack workspace.

Configuration of Integration for Slack
Configuration of Integration for Slack

Once the Slack setup process is complete, the StrongDM app for Slack becomes available for use by users of your Slack workspace.

From the Integrations page you can also disconnect an integration at any time. In the list of currently configured integrations, you can click the Disconnect button to remove that integration from your StrongDM organization.

StrongDM Commands for Slack

/sdmPresent options
/sdm authorizePresent an Authorize button to the user
/sdm access catalogDisplay resource catalog
/sdm deauthorizeDeauthorize the user
/sdm access pendingDisplay list of requests with the status “Pending”
/sdm access requestsDisplay list of requests
/sdm access toDirectly request access in the format /sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]
/sdm access usageDisplay usage help (also displays for any unrecognized command)

Set up the App

In order to use StrongDM to request access and respond to requests, each user must authorize the integration using their StrongDM user account. To authorize the integration, follow these steps.

  1. In any Slack channel, type /sdm authorize to begin. The StrongDM app for Slack responds indicating that the integration needs authorization:
    Authorization Required
    Authorization Required

If you have not yet authorized the connection between your StrongDM user and your Slack user account, entering any /sdm commands will result in the same response.

  1. Before doing anything else, make sure you are signed in, from your web browser, to the organization you are authorizing.

  2. Click the Authorize button. You will be guided through a process to ensure that your StrongDM user is logged in and connected to your Slack user account in your current workspace.

When done, the StrongDM app for Slack indicates a successful authorization and gives options for how to use the integration.

In this message, and any time in the future that the /sdm command is run, the response contains the following buttons:

  • Approval Requests shows a list of requests that are awaiting approval by you or another eligible approver. This button is also shown at the top of the Home tab.
  • Catalog displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request.
  • My Requests shows a list of the requests that you have submitted. This button is also shown at the top of the Home tab.
  • Usage lets you view usage instructions at any time and does the same as the command /sdm help.

Resource Catalog

Click the Catalog button (or run the command /sdm access) to search the resource catalog. Items that you already have access to do not have a Request Access button next to them.

You can search using Name, Type, or Tag (described in the response table below), but you can also search by the Access type:

  • Any returns the catalog list, including resources that you already have access to via a different request, those that you have access to via your other roles already, and resources with a pending request from you.
  • Available filters the results to include only resources that are currently available to you to request access to via a workflow (that you do not already have access to or pending requests for).
  • Granted by Role filters the results to include only resources for which you have already been granted access by a role, rather than by requests through workflows.
  • Granted Temporarily filters the results to include only resources for which you have already been granted temporary access, rather than by requests through workflows.
  • Pending filters the results to include only resources for which you currently have pending requests.

Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.

Each item in the response includes the following properties, where relevant:

AvailabilityWhether the resource is available to request, or already granted by a role
CredentialsWhether the resource uses leased credentials or secret stores
IDID of the resource
NameName of the resource
TagsResource tag keys and values
TypeResource type

Make a request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Slack form and make the request. The form asks for the starting date/time and ending date/time for your request, and the reason for your request. The reason must be filled out.

App for Slack Access Request Form
App for Slack Access Request Form

If your request is to a resource that is part of a workflow with automatic approvals enabled, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the approvers are notified of your request.

You may also make a request directly with a command from anywhere in Slack, using the following syntax (optional arguments in brackets):

/sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]

For example:

/sdm access to rs-3454897454b8ed24 for 3h because testing reasons

  • The value of <YOUR_RESOURCE> can be either your resource’s exact name, or its resource ID. The ID can be found in the catalog (/sdm access catalog) in the entry for the desired resource.
  • The value of <YOUR_DURATION> is the number of days (d), hours (h), or minutes (m). For example: 15d or 3h or 10m. This argument is optional as an argument in the command, but all requests require a duration.
  • The value of <YOUR_REASON> should be a sufficient reason that an approver (or later auditor) will be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

View and Respond to Requests

Click the Approval Requests button (or run the command /sdm access approval requests) to display a list of current requests. This list includes requests that you have made yourself, as well as requests that you are eligible to approve.

Each request listed contains the following properties:

DurationLength of time for which access was requested
ReasonReason stated for the request
RequesterName of the requester
RequestIDUnique ID of the request; click to open the request in the Admin UI
StartDate and time the access is to begin
StatusPending, Approved, Denied, Revoked
SubmittedDate and time the request was submitted
WorkflowName of the workflow via which the request is being made

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Slack notification (in addition to the email that you get from the system) that allows you to immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, it opens a window that provides details about the request and the option to continue and revoke the request early.

Receive Notifications About Requests

You can set up Slack channel notifications about access requests by inviting the StrongDM integration (bot) for Slack to a channel (public or private). When it’s in the channel, it will pin itself to the channel.

If a request is made using the Request Access button, the request will announce itself in the channel.

If a request is made using / commands (for example, /sdm access catalog), there are no announcements in the channel.

Request announcements are shown with approve and deny buttons (which only produce results if you are an approver), and they only notify in public channels.

Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.