Integration for Slack
Last modified on April 4, 2024
This feature is part of the Enterprise bundle. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.
StrongDM’s integration for Slack, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Slack. This integration for Slack gives users the ability to easily request access to the resources they need without opening another application. It gives approvers another way to not only be notified, but also to easily respond to requests that require manual approval.
Administrator Configuration
Before the integration can be used, you need to connect StrongDM to your Slack workspace and grant permissions. To configure the app for Slack for your organization, go to the Admin UI > Settings > Integrations and under Slack, click Connect. The next screen begins guiding you through permissions that must be granted and then through the process to set up the integration with your Slack workspace.
Once the Slack setup process is complete, the StrongDM app for Slack becomes available for use by users of your Slack workspace.
From the Integrations page you can also disconnect an integration at any time. In the list of currently configured integrations, you can click the Disconnect button to remove that integration from your StrongDM organization.
StrongDM Commands for Slack
| Command | Description |
|---|---|
/sdm | Present options |
/sdm authorize | Present an Authorize button to the user |
/sdm access catalog | Display resource catalog |
/sdm deauthorize | Deauthorize the user |
/sdm access pending | Display list of requests with the status “Pending” |
/sdm access requests | Display list of requests |
/sdm access to | Directly request access in the format /sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>] |
/sdm access usage | Display usage help (also displays for any unrecognized command) |
Set up the App
In order to use StrongDM to request access and respond to requests, each user must authorize the integration using their StrongDM user account. To authorize the integration, follow these steps.
- In any Slack channel, type
/sdm authorizeto begin. The StrongDM app for Slack responds indicating that the integration needs authorization:
Authorization Required
If you have not yet authorized the connection between your StrongDM user and your Slack user account, entering any /sdm commands will result in the same response.
Before doing anything else, make sure you are signed in, from your web browser, to the organization you are authorizing.
If you are already signed in to a different Slack workspace in the browser, but not the workspace you are trying to authorize the integration for, you’ll need to switch to the intended Slack workspace. You can do so from the Slack authorization screen that explains the permissions you are granting. At the top right corner of that screen, click the dropdown to view the workplaces that you are currently signed in to. Select the correct workspace or click Add and sign in to the intended Slack workspace.Click the Authorize button. You will be guided through a process to ensure that your StrongDM user is logged in and connected to your Slack user account in your current workspace.
When done, the StrongDM app for Slack indicates a successful authorization and gives options for how to use the integration.
In this message, and any time in the future that the /sdm command is run, the response contains the following buttons:
- Approval Requests shows a list of requests that are awaiting approval by you or another eligible approver. This button is also shown at the top of the Home tab.
- Catalog displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request.
- My Requests shows a list of the requests that you have submitted. This button is also shown at the top of the Home tab.
- Usage lets you view usage instructions at any time and does the same as the command
/sdm help.
Resource Catalog
Click the Catalog button (or run the command /sdm access) to search the resource catalog. Items that you already have access to do not have a Request Access button next to them.
You can search using Name, Type, or Tag (described in the response table below), but you can also search by the Access type:
- Any returns the catalog list, including resources that you already have access to via a different request, those that you have access to via your other roles already, and resources with a pending request from you.
- Available filters the results to include only resources that are currently available to you to request access to via a workflow (that you do not already have access to or pending requests for).
- Granted by Role filters the results to include only resources for which you have already been granted access by a role, rather than by requests through workflows.
- Granted Temporarily filters the results to include only resources for which you have already been granted temporary access, rather than by requests through workflows.
- Pending filters the results to include only resources for which you currently have pending requests.
Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.
Each item in the response includes the following properties, where relevant:
| Property | Description |
|---|---|
| Availability | Whether the resource is available to request, or already granted by a role |
| Credentials | Whether the resource uses leased credentials or secret stores |
| ID | ID of the resource |
| Name | Name of the resource |
| Tags | Resource tag keys and values |
| Type | Resource type |
Make a request
Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Slack form and make the request. The form asks for the starting date/time and ending date/time for your request, and the reason for your request. The reason must be filled out.
If your request is to a resource that is part of a workflow with automatic approvals enabled, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the approvers are notified of your request.
You may also make a request directly with a command from anywhere in Slack, using the following syntax (optional arguments in brackets):
/sdm access to <YOUR_RESOURCE> [for <YOUR_DURATION>] [because <YOUR_REASON>]
For example:
/sdm access to rs-3454897454b8ed24 for 3h because testing reasons
- The value of
<YOUR_RESOURCE>can be either your resource’s exact name, or its resource ID. The ID can be found in the catalog (/sdm access catalog) in the entry for the desired resource. - The value of
<YOUR_DURATION>is the number of days (d), hours (h), or minutes (m). For example:15dor3hor10m. This argument is optional as an argument in the command, but all requests require a duration. - The value of
<YOUR_REASON>should be a sufficient reason that an approver (or later auditor) will be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.
/sdm access to command is used but the optional duration and reason arguments are not provided, the Slack modal form for access requests displays, pre-populated with the information you did provide about your request, and the request can be completed using the form. This provides a useful response to commands that are accidentally missing arguments as well as offering a shortcut for opening the request form for repeat requests where the resource name is known.View and Respond to Requests
Click the Approval Requests button (or run the command /sdm access approval requests) to display a list of current requests. This list includes requests that you have made yourself, as well as requests that you are eligible to approve.
Each request listed contains the following properties:
| Property | Description |
|---|---|
| Duration | Length of time for which access was requested |
| Reason | Reason stated for the request |
| Requester | Name of the requester |
| RequestID | Unique ID of the request; click to open the request in the Admin UI |
| Start | Date and time the access is to begin |
| Status | Pending, Approved, Denied, Revoked |
| Submitted | Date and time the request was submitted |
| Workflow | Name of the workflow via which the request is being made |
If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Slack notification (in addition to the email that you get from the system) that allows you to immediately click to approve or deny the request without opening the list.
If the Revoke button appears next to any of the previously approved requests, it opens a window that provides details about the request and the option to continue and revoke the request early.
Receive Notifications About Requests
You can set up public channel Slack notifications about access requests by inviting the StrongDM integration (bot) for Slack to a channel. When it’s in the channel, it will pin itself to the channel. Any requests made will announce themselves in the channel, including approve and deny buttons (which only produce results if you are an approver).
Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.