Integration With Slack - User Guide

Last modified on November 15, 2024

This feature is part of the Enterprise plan. If it is not enabled for your organization, please contact StrongDM at the StrongDM Help Center.

StrongDM’s integration with Slack, when paired with the Access Workflows feature, allows you to browse the StrongDM resource catalog, request access to resources, and approve or deny such requests (if you’re eligible), all within Slack. In addition, the integration can be added to channels, surfacing requests within a group of potential approvers.

This guide describes how to use the integration to request or approve access. To learn about configuration of the StrongDM integration in your Slack workspace for administrators, see Set up and Configure the Integration With Slack.

Command Reference

The following table contains a reference of the available commands in the integration with Slack. You can click any item to read about it in more depth, or move on to the next section to learn how to connect your StrongDM user to your Slack user and begin making or approving access requests from within Slack.

Command	Description
`/sdm`	Present options
`/sdm access all`	Display entire resource catalog
`/sdm access approval requests`	Display list of requests for which you are an eligible approver
`/sdm access catalog`	Display available items from resource catalog
`/sdm access my requests`	Display list of requests made by you
`/sdm access to`	Directly request access in the format `/sdm access to <RESOURCE_NAME_OR_ID> [for <DURATION>] [because <YOUR_REASON>]`
`/sdm authorize`	Present an Authorize button to the user
`/sdm deauthorize`	Deauthorize the user
`/sdm help`	Display usage help (also displays for any unrecognized command)

You may use these commands in any channel; the responses are only displayed to you. Additionally, you may wish to do your interactions with the StrongDM integration by directly chatting with the StrongDM app in Slack, to be able to easily look back at your interactions in one place.

Authorize the Integration

Once your system administrators have connected StrongDM to Slack and enabled the integration for use, you may link your StrongDM user to your Slack user and get started using Slack for access requests.

First, you must authorize the integration using your StrongDM user account. To authorize the integration, follow these steps.

In any Slack channel, type /sdm authorize to begin. The StrongDM app for Slack responds to you indicating that the integration needs authorization:
Authorization Required
If you have not yet authorized the connection between your StrongDM user and your Slack user account, entering any /sdm commands result in the same response requiring you to authorize the integration.
Before doing anything else, make sure you are signed in, from your web browser, to the organization you are authorizing.
If you are already signed in to a different Slack workspace in the browser, but not the workspace you are trying to authorize the integration for, you’ll need to switch to the intended Slack workspace. You can do so from the Slack authorization screen that explains the permissions you are granting. At the top right corner of that screen, click the dropdown to view the workplaces that you are currently signed in to. Select the correct workspace or click Add and sign in to the intended Slack workspace.
Click the Authorize button. You are then guided through a process to ensure that your StrongDM user is logged in and connected to your Slack user account in your current workspace. When the process is complete, the StrongDM app for Slack indicates a successful authorization and gives you options for how to use the integration. In this message, and any time in the future that the /sdm command is run, the response contains the following buttons:
- Approval Requests shows a list of requests that are awaiting approval by you or another eligible approver. This button is also shown at the top of the Home tab.
- Catalog displays a search dialog that allows you to search and browse the resource catalog, which contains all resources that are available for you to request.
- My Requests shows a list of the requests that you have submitted. This button is also shown at the top of the Home tab.
- Usage lets you view usage instructions at any time and does the same as the command /sdm help.

Resource Catalog

Click the Catalog button (or run the command /sdm access) to search the resource catalog. Resources that you already have access to do not have a Request Access button next to them.

You can search using Name, Type, or Tag (described in the table below), but you can also search by the Access type:

Any: Returns the entire catalog list
Available: Only returns resources that you do not currently have access to but that are available for you to request
Granted by Role: Returns resources that you have standing access to through roles
Granted Temporarily: Returns resources that you have been directly granted temporary access to (not through requests)
Pending: Returns only resources for which you currently have pending requests

Resources that are available to request access to have a Request Access button next to them. You may select multiple resources.

Each item in the response includes the following properties, where relevant:

Property	Description
Availability	Whether the resource is available to request, or already granted by a role
Credentials	Whether the resource uses leased credentials or secret stores
ID	ID of the resource
Name	Name of the resource
Tags	Resource tag keys and values
Type	Resource type

Make a Request

Within the list of resources presented in the catalog, there is a Request Access button next to any resource that you do not already have standing access to, based on your roles. Click the Request Access button to open a Slack form and make the request. The form asks for the starting date/time and ending date/time for your request, and the reason for your request. The reason must be filled out.

If your request is to a resource that is part of a workflow with automatic approvals enabled, it is automatically granted. If the request is being fulfilled via a workflow that requires manual approval, the approvers are notified of your request.

You may also make a request directly with a command from anywhere in Slack, using the following syntax (optional arguments in brackets):

/sdm access to <RESOURCE_NAME_OR_ID> [for <DURATION>] [because <YOUR_REASON>]

For example:

/sdm access to rs-3454897454b8ed24 for 3h because testing reasons

The value of <RESOURCE_NAME_OR_ID> can be either your resource’s exact name, or its resource ID. The ID can be found in the catalog (/sdm access catalog) in the entry for the desired resource.
The value of <DURATION> is the number of days (d), hours (h), or minutes (m). For example: 15d or 3h or 10m. This argument is optional as an argument in the command, but all requests require a duration.
The value of <YOUR_REASON> should be a sufficient reason that an approver (or later auditor) is be able to understand your need for access and approve. This argument is optional as an argument in the command, but all requests require a reason.

If the /sdm access to command is used but the optional duration and reason arguments are not provided, the Slack modal form for access requests displays, pre-populated with the information you did provide about your request, and the request can be completed using the form. This provides a useful response to commands that are accidentally missing arguments as well as offering a shortcut for opening the request form for repeat requests where the resource name is known.

View and Respond to Requests

Click the Approval Requests button (or run the command /sdm access approval requests) to display a list of current requests. This list includes requests that you have made yourself, as well as requests that you are eligible to approve.

Each request listed contains the following properties:

Property	Description
Duration	Length of time for which access was requested
Reason	Reason stated for the request
Requester	Name of the requester
RequestID	Unique ID of the request; click to open the request in the Admin UI
Start	Date and time the access is to begin
Status	Pending, Approved, Denied, Revoked
Submitted	Date and time the request was submitted
Workflow	Name of the workflow handling the request

If the Respond button appears next to any of the requests, you can click it to see information about the request and respond to it with an approval or a denial. Additionally, for any requests for which you are an eligible reviewer, you receive a Slack notification (in addition to the email that you get from the system) that allows you to immediately click to approve or deny the request without opening the list.

If the Revoke button appears next to any of the previously approved requests, it opens a window that provides details about the request and the option to continue and revoke the request early.

Use the Integration in Channels

In addition to the private notifications that are sent to approvers, you can set up Slack channel notifications about access requests by inviting the StrongDM integration for Slack to a channel. The StrongDM integration can be attached as a bot to private or public channels. This is a good way to allow the first available person from a group of individual approvers to review and approve each request from within Slack, rather than have those individuals be notified by email and make the requester wait for a response.

This setup is most ideal for access workflows that have a group of approvers, rather than those that auto approve or that have a single approver. However, having the integration in a channel can also provide admins with a stream of posts indicating the requests that are being made, even if a group of approvers are not required. Depending on the working style of the approvers, this may still be of use.

Invite the integration

The invitation can be made in the same way as inviting any user: via the UI options within the channel:

In the desired channel, use the button in the top right to view the members of the channel, click the button to add a member, and choose the integration with Slack.
Or, you may simply enter the desired channel and type the command /invite @StrongDM.

Once StrongDM is added to the channel, it is in the channel members list under “Integrations”. It can be removed from a channel like any other member, but to remove it from a private channel, you need Administrator or Channel Manager permissions.

Immediately upon being invited to the channel, the integration makes a post with its commands shown as buttons and pins that post to the channel for further ease of access.

Interact with channel announcements

If a request is made using the Request Access button within the channel, the integration then announces the request in the channel. Request announcements are shown with approve and deny buttons (which only produce results if you are an approver), and they only notify in public channels. These announcements can be used to quickly show approvers requests in a place where those approvers are able to see and respond to them.

If a request is made using / commands (for example, /sdm access catalog), there are no announcements in the channel.

Please view the StrongDM Privacy Policy for information about how StrongDM collects, manages, and stores third-party data.

Integration With Slack - User Guide

Command Reference #

Authorize the Integration #

Resource Catalog #

Make a Request #

View and Respond to Requests #

Use the Integration in Channels #

Invite the integration #

Interact with channel announcements #