Skip to main content
Version: v4.15

Request and approve data access in Slack with Cyral chatops

Users want to be able to request access to any data in any repository, and get a quick approval. Administrators need to be able to handle these requests efficiently, granting appropriate access and knowing that each access grant will expire when it's no longer needed. Cyral's just-in-time access feature lets you do this.

Users chat with Cyral's app (chatbot) in Slack to request access. Approvals can be automatic or can require an administrator's approval, based on your preferences. This type of access grant is available for SSO-authenticated users.

Set up just-in-time access

Set up local accounts to support just-in-time access

  1. Set up one or more local accounts on your repository and add them to Cyral. These are the native accounts used to connect users to the repository.
  2. Optional: If this local account will be used to service requests to the repository as a whole (requests that don't specify which tables or collections the user wants to access), then you have the option of setting up auto-approvals:
    • In the Auto Approval section, toggle the checkbox on.
    • In the fields just below that, specify the maximum duration that the user can request and still have their request auto approved.
  3. Click Track.

Specify the data locations that users can request access to

Follow the instructions in Add or edit a Data Map to create a Data Map that includes the data locations (for example, tables and columns) that users will be able to request access to.

Once you define a local account for the repository, the columns listed in your Data Map will be made available in the Sensitive Resources field of the Cyral chatbot so that users can request access to them.

Here's an example Data Map entry for a repo called customer-accts-pg:

CS_SLACKBOT_ACCESS:
attributes:
- cs.customer.city
- cs.customer.id
- cs.customer.name
- cs.customer.zip_code

Set up default deny rules

To ensure users will have access only to those data locations they've requested through the chatbot, set up your standing policies so that, by default, those policies deny access for the users and groups who use the chatbot. When any of these users gets access through the chatbot, their grant overrides the default deny rules.

Provide Cyral user permissions

Both the requesters and the approvers who use the chatbot must have appropriate permissions in Cyral to interact with repositories and their details. In most installations,

  • requesters are SSO users mapped to the User role in Cyral; and
  • approvers are SSO users mapped to the Admin role.

If you're using the standard User and Admin roles as described above, no further permissions setup steps are needed.

If your Cyral installation does not use the standard role mappings, set up the account mappings shown below. (For more details, see Map an SSO group to a Cyral administrator role.)

  1. Map the SSO accounts of all requesters to a role with the following permissions in Cyral. (These are provided in the pre-configured User role)
    • View Sidecars and Repositories
    • View Datamaps
  2. Map the SSO accounts of all approvers to a role with the following permissions in Cyral. (All of these are provided in the pre-configured Admin role.)
    • View Sidecars and Repositories
    • View Datamaps
    • Modify Sidecars and Repositories
    • Modify Policies

Add the Cyral Slack app​

Install the Cyral Slack app​ (chatbot) in your Slack instance:

  1. Open the Cyral management console and navigate to the Integrations page.
  2. On the Slack Bot tile, click Configure.
  3. Click Add to Slack.
  4. Choose the desired Slack channel when prompted. See Add the Cyral Slack app for details.

Once you've added the chatbot in Slack, you're ready to start handling access requests.

tip

Each repository that will support access requests via Slack needs to have SSO enabled in Cyral.

Audit just-in-time access

In the Audit Logs section of the Cyral control plane UI, you can track the following events related to access requests, approvals, and denials:

  • Requests for data access
  • Administrator approvals of data access requests
  • Automatic approvals of data access requests
  • Denials of data access requests
  • Revocations of data access requests

Here's an example entry for an approved access request:

{
"approver": "rdiez@cyral.com",
"duration": "1h",
"localAccount": "bob",
"repo": "rafael-pg",
"requester": "jlo@cyral.com",
"sensitiveResources": [
"public.slackbot_demo.city",
"public.slackbot_demo.id"
],
"source": "slack",
"status": "success"
}