Schedule repository access for on-call users
On-call engineers and staff often need access to production data and other repositories, but the sensitive nature of these repositories means that each person's access grant should remain open only during their on-call rotation.
You can automate on-call access grants by linking Cyral with your incident management system. When you do this, you'll combine authentication from your identity platform with scheduling from your incident management system and repository access enforcement from Cyral.
Prerequisites
- Set up on-call schedules in your incident management system, like PagerDuty
- Connect your incident management system to Cyral
Create an SSO mapping tied to your team's on-call schedule
In the Data Repos page of the Cyral control plane UI, click the name of the repository whose access you wish to manage. Click the Identity to Account Map tab, and click the plus sign.
Choose Group as the Identity Type, and in the Identity field, specify the name of the SSO group that contains your on-call team. Alternatively, you may choose User and specify an SSO user name. Use the group name or user name as it's written in your identity service.
In the Local Account field, choose the name of the native repository account that your on-call team will use to connect, as configured in Cyral. (For details, see SSO authentication for your users.)
In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.
In the on-call section, click Restrict access to on-call hours and choose the name of the incident management system integration you saved in Cyral. For setup details, see the incident response system integration instructions.
Click Create.
Your on-call access control setup for this repository is complete. You can check whether on-call access control is active for any repository by clicking the Data Repos page, clicking the name of the repository, and clicking the Identity to Account Map tab. For each user and group on the repository, the Authorization Policy column shows whether an on-call management system has been set up to limit access.
How on-call users connect to a repository
An on-call user can connect to their configured repositories during their on-call rotation. Users connect as usual, using the Cyral Access Portal.
tip
Once a user's current on-call period ends, any existing connection they have to a repository will be closed.
See also the repo connection instructions for more details on manually connecting to repositories.