Skip to main content
Version: v4.17

Schedule repository access for on-call users

On-call engineers and staff often need access to production data and other repositories, but the sensitive nature of these repositories means that each person's access grant should remain open only during their on-call rotation.

You can automate on-call access grants by linking Cyral with your on-call management system. When you do this, you'll combine authentication from your identity platform with scheduling from your on-call management system and repository access enforcement from Cyral.

Prerequisites

Create an access rule tied to your team's on-call schedule

  1. In the Cyral control plane UI, click Data Repos in the left navigation bar, click the name of your repository, and click the Access Rules tab.

  2. Follow the instructions in Add an access rule, taking care to:

    • Click the name of the database account that your on-call users will use for connecting.

    • Click Add Rule.

    • In the SSO Group section, specify the name of the SSO group that contains your on-call team. Alternatively, you may choose SSO User and specify an SSO user name. Use the group name or user name as it's written in your identity service.

    • In the When is this access permitted? section, you can typically set it to Always because the on-call schedule will limit access to only the periods when the user is actively on-call.

    • Expand the Additional Access Restrictions section, and open the On-Call Access drop-down list. choose the name of your on-call management system integration.

    • Click Add Rule.

Your on-call access control setup for this repository is complete.

Check if on-call access control is enabled for any users of a repository

You can check whether on-call access control is active for any repository by clicking the Data Repos page, clicking the name of the repository, and clicking the Access Rules tab. For each user and group on the repository, the Access Rules section lists the rules. Check the Conditions column to see whether an on-call management system has been set up to limit access. The P icon in the example below shows that a PagerDuty on-call schedule is in use.

How on-call users connect to a repository

An on-call user can connect to their configured repositories during their on-call rotation. Users connect as usual, using the Cyral Access Portal.

tip

Once a user's current on-call period ends, any existing connection they have to a repository will be closed.

See also the repo connection instructions for more details on manually connecting to repositories.