Slack Integration

Last modified on September 21, 2023

StrongDM’s Slack integration, when paired with the Access Workflows feature, allows you to browse the resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Slack. This integration gives users the ability to easily request access to the resources they need without opening another application. It gives approvers another way to not only be notified, but also to easily respond to requests that require manual approval.

Administrator Configuration

Before the integration can be used, you need to connect StrongDM to your Slack workspace and grant permissions. To configure the Slack integration for your organization, go to the Admin UI > Settings > Integrations and under Slack, click Connect. The next screen begins walking through permissions that must be granted, and it guides you through the process to set up the integration with your Slack workspace.

Configuring the Slack Integration for Your Organization
Configuring the Slack Integration for Your Organization

Once the Slack setup process is complete, the StrongDM app becomes available for use by users of your Slack workspace.

From the Integrations page you can also disconnect an integration at any time. In the list of currently configured integrations, you can click the Disconnect button to remove that integration from your StrongDM organization.

StrongDM Slack Commands Reference

CommandDescription
/sdmPresent options
/sdm authorizePresent an Authorize button to the user
/sdm access catalogDisplay resource catalog
/sdm deauthorizeDeauthorize the user
/sdm access pendingDisplay list of requests with the status “Pending”
/sdm access requestsDisplay list of requests
/sdm access toDirectly request access in the format /sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]
/sdm access usageDisplay usage help (also displays for any unrecognized command)

Set up the App

In order to get started using StrongDM to request access and respond to requests, each user must authorize the integration using their StrongDM user account. In any Slack channel, you may type /sdm authorize to begin. The StrongDM app responds indicating that the integration needs authorization:

The Slack App Requires Authorization
The Slack App Requires Authorization

Clicking the Authorize button takes you through a process to ensure that your StrongDM user is logged in and connected to your Slack user account in your current workspace.

Afterward, the StrongDM app in Slack indicates a successful authorization and gives options for how to use the integration.

Slack App Authorization Successful
Slack App Authorization Successful

In this message, and any time in the future that the /sdm command is run, the response contains three different buttons:

  • Catalog displays a resource catalog containing all resources that are available for you to request.
  • Requests generates a list of requests that you may view and respond to.
  • Usage lets you view usage instructions at any time and does the same as the command /sdm help.

Resource Catalog

Click the Catalog button (or run the command /sdm access catalog) to display the resource catalog. This is a list of all resources that you could request access to (including those that you already have access to via your roles). Resources that are available to request access to have a Request Access button next to them.

Each item in the response includes the following properties, where relevant:

PropertyDescription
NameName of the resource
IDID of the resource
AvailabilityWhether the resource is available to request, or already granted by a role
TypeResource type
CredentialsWhether the resource uses leased credentials or secret stores
TagsResource tag keys and values

Filter the catalog

When using /sdm access catalog you may also append filters. For example:

/sdm access catalog type:mysql

or

/sdm access catalog tag:env=dev

For more information about the access catalog, view the Catalog section in the Access Requests page.

Make a request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Slack form and make the request. The form asks for the starting date/time and ending date/time for your request, and the reason for your request. The reason must be filled out.

Slack App Access Request Form
Slack App Access Request Form

If your request is to a resource that is part of a workflow with automatic approvals enabled, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the approvers are notified of your request.

You may also make a request directly with a command from anywhere in Slack, using the following syntax (optional arguments in brackets):

/sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]

For example:

/sdm access to rs-3454897454b8ed24 for 3h because testing reasons

  • The value of <YOUR_RESOURCE> can either be your resource’s exact name, or its resource ID. The ID can be found in the catalog (/sdm access catalog) in the entry for the desired resource.
  • The value of <YOUR_DURATION> is the number of hours (h) or a number of minutes (m). For example: 3h or 10m). This argument is optional as an argument in the command, but all requests require a duration.
  • The value of <YOUR_REASON> should be a sufficient reason that an approver (or later auditor) will be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

View and Respond to Requests

Click the Requests button (or run the command /sdm access requests) to display a list of current requests. This list includes requests that you have made yourself, as well as requests that you are eligible to approve.

Each request listed contains the following properties:

PropertyDescription
RequestIDUnique ID of the request; click to open the request in the Admin UI
SubmittedDate and time the request was submitted
StartDate and time the access is to begin
WorkflowName of the workflow via which the request is being made
RequesterName of the requester
StatusPending, Approved, Denied, Revoked
DurationLength of time for which access was requested
ReasonReason stated for the request

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Slack notification (in addition to the email that you get from the system) that allows you immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, it opens a window that provides details about the request and the option to continue and revoke the request early.

Filter the requests

When using /sdm access requests you may also append filters. For example:

/sdm access requests type:mysql

or

/sdm access requests tag:env=dev

For more information about access requests, view the Requests section in the Access Requests page.

Top