Request and approve data access in Slack with Cyral chatops
Users want to be able to request access to any data in any repository, and get a quick approval. Administrators need to be able to handle these requests efficiently, granting appropriate access and knowing that each access grant will expire when it's no longer needed. Cyral's just-in-time access feature lets you do this.
Users chat with Cyral's app (chatbot) in Slack to request access. Approvals can be automatic or can require an administrator's approval, based on your preferences. This type of access grant is available for SSO-authenticated users.
Set up just-in-time access
Set up local accounts to support just-in-time access
- Set up one or more local accounts on your repository and add them to Cyral. These are the native accounts used to connect users to the repository.
- Optional: If this local account will be used to service requests to
the repository as a whole (requests that don't specify which
tables or collections the user wants to access), then you have the
option of setting up auto-approvals:
- In the Auto Approval section, toggle the checkbox on.
- In the fields just below that, specify the maximum duration that the user can request and still have their request auto approved.
- Click Track.
Specify the data locations that users can request access to
Follow the instructions in Add or edit a Data Map to create a Data Map that includes the data locations (for example, tables and columns) that users will be able to request access to.
Once you define a local account for the repository, the columns listed in your Data Map will be made available in the Sensitive Resources field of the Cyral chatbot so that users can request access to them.
Here's an example Data Map entry for a repo called customer-accts-pg:
CS_SLACKBOT_ACCESS:
attributes:
- cs.customer.city
- cs.customer.id
- cs.customer.name
- cs.customer.zip_code
Set up default deny rules
To ensure users will have access only to those data locations they've requested through the chatbot, set up your standing policies so that, by default, those policies deny access for the users and groups who use the chatbot. When any of these users gets access through the chatbot, their grant overrides the default deny rules.
Provide Cyral user permissions
Both the requesters and the approvers who use the chatbot must have appropriate permissions in Cyral to interact with repositories and their details. In most installations,
- requesters are SSO users mapped to the User role in Cyral; and
- approvers are SSO users mapped to the Admin role.
If you're using the standard User and Admin roles as described above, no further permissions setup steps are needed.
If your Cyral installation does not use the standard role mappings, set up the account mappings shown below. (For more details, see Map an SSO group to a Cyral administrator role.)
- Map the SSO accounts of all requesters to a role with the following permissions in Cyral. (These are provided in the pre-configured User role)
- View Sidecars and Repositories
- View Datamaps
- Map the SSO accounts of all approvers to a role with the following
permissions in Cyral. (All of these are provided in the
pre-configured Admin role.)
- View Sidecars and Repositories
- View Datamaps
- Modify Sidecars and Repositories
- Modify Policies
Add the Cyral Slack app
Install the Cyral Slack app (chatbot) in your Slack instance:
- Open the Cyral management console and navigate to the Integrations page.
- On the Slack Bot tile, click Configure.
- Click Add to Slack.
- Choose the desired Slack channel when prompted. See Add the Cyral Slack app for details.
Once you've added the chatbot in Slack, you're ready to start handling access requests.
tip
Each repository that will support access requests via Slack needs to have SSO enabled in Cyral.
Audit just-in-time access
In the Audit Logs section of the Cyral control plane UI, you can track the following events related to access requests, approvals, and denials:
- Requests for data access
- Administrator approvals of data access requests
- Automatic approvals of data access requests
- Denials of data access requests
- Revocations of data access requests
Here's an example entry for an approved access request:
{
"approver": "rdiez@cyral.com",
"duration": "1h",
"localAccount": "bob",
"repo": "rafael-pg",
"requester": "jlo@cyral.com",
"sensitiveResources": [
"public.slackbot_demo.city",
"public.slackbot_demo.id"
],
"source": "slack",
"status": "success"
}