Skip to main content

Provision just in time repository access

People and applications often need temporary access to a data repository, and few database systems offer a way to create credentials that automatically expire. Cyral enables you to do this by creating time-based access grants. With this option enabled, your administrators grant data repository users credentials that expire if they're not initially used within a window you set, and, once used, expire after a set period.

Time-based access grants are available for both SSO-authenticated users and users who authenticate through Cyral with their database-native credentials.

Grant timed access to a user or group#

You can grant limited-time access to a repository to an SSO user or SSO group. Set this up as shown below.

Prerequisites:

Procedure:

  1. In the Data Repos page, click the name of your repository, click the Identity to Account Map tab and click the plus sign.

  2. Choose User or Group as the identity type.

  3. In the Identity field, specify the SSO user name or group name as it's written in your identity service.

  4. In the Local Account field, choose the name of the repo account (native data repository account) they'll log in as. See the SSO setup instructions for details.

  5. In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.

    note

    If the user is still connected when their grant expires, they will be logged out immediately.

  6. Click Create.

Revoking a user's or group's data access#

All SSO access grants are shown in the Identity Map tab of the Cyral control plane UI. To revoke a user's access, follow these steps:

  1. Click the Identity Map tab.
  2. In the section for the identity provider of your user or group, find the user or group record, and click its name (usually this is an email address of SSO group name).
  3. In the User Details page, click the name of the repository for which you wish to revoke the user's or group's access.
  4. Click the Identity to Account Map tab.
  5. Find the user's or group's record in the list, and click the trash bin icon. If a user is still connected when you revoke their access, they will be logged out immediately.

Request and grant repository access in Slack#

The Cyral Slack app is a ChatOps integration that lets employees get on-demand, authorized access to data repositories. By chatting with the /cyral bot in Slack, database users can find repositories, request access, and be alerted when their request is approved. Admins can approve data access requests and find repositories and sidecars.

Set up the Cyral self-service access integration for Slack#

Prerequisites#

  • In Slack, find or create a channel where repository administrators can receive and handle access requests using the Cyral app.
    • This can be a public or private channel.
    • Cyral recommends that you dedicate a channel for this, so that requests don't get lost in the traffic of a busy channel.
  • Before you begin to add the Cyral app, make sure you're logged into your Slack workspace using an account that has permission to add apps. By default, Slack allows any user to add the app to their workspace, but the manager of your Slack workspace may have placed limits on this.

Procedure#

To add the Cyral Slack app:

  1. Open the Cyral management console and navigate to the Integrations page.

  2. On the Slack Bot tile, click Configure.

  3. Click Add to Slack.

  4. Slack displays a dialogue saying that the Cyral is requesting access to your workspace. Choose the channel where the app will chat with your employees, and click Allow. The Cyral app will also show Approve and Deny buttons in this channel, and it can DM users to notify them if their request was approved or denied.

    Once the app has been added to a Slack workspace, the bot will be visible to all users in the workspace and they can interact with it. Users can chat with the bot from anywhere by typing /cyral followed by a command. Type /cyral help to list the bot's commands.

  5. Invite the repository administrators to the app's channel. This channel is where they will receive incoming access requests and approve and deny them.

  6. Make sure each repository administrator has the Modify sidecars/repositories permission in Cyral, which is included in the default Admin and Super Admin roles.

  7. All data users and repository administrators should connect their accounts using /cyral connect as explained in Connect your Slack account and Cyral account, below. It's important that administrators connect as soon as possible, so that they can start handling requests.

  8. For each repository that will support access requests via Slack, you must enable SSO in Cyral. To do this, see Authenticate repository access with SSO

Using the Cyral app in Slack#

Connect your Slack account and Cyral account#

Before you can perform actions with the Cyral app in Slack, you must connect your Slack user account to the account you use in Cyral. This allows the Cyral app to report on who's doing what and to check which repository-related actions you're authorized to do. Both users and administrators need to do this.

To connect your account:

  1. From anywhere in Slack (for example in your personal channel) type /cyral connect to log in to your Cyral account:

  2. In your browser, Cyral shows a page where you can authorize the Cyral app, allowing it to see your profile information. Click Yes to authorize, and you'll see a notification in the browser and in Slack.

Cyral app commands in Slack#

Once you've connected your Slack account to Cyral, you can use the app's commands from anywhere in Slack. Start by using the /cyral help command to show a list of commands:

Listing repositories and sidecars#
/cyral list repos/cyral list sidecars
Requesting access to a repository#

To request access, type the /cyral request access command in the form,

/cyral request access repository-name duration

where

  • repository-name is the name of the repository (use /cyral list repos to find the right spelling)
  • duration is the length of time for which you want to have access, expressed as a number and a single-letter abbreviation: m for minutes, h for hours, or d for days.

For example:

/cyral request access patients-ephemeral 15m

Once you run the command, your data repository administrators get a notification in the Cyral app's Slack channel. Once they approve it, you'll get a direct message in Slack similar to:

Approve an on-demand access request#

Prerequisite#

Make sure you're a Cyral administrator with at least the Modify sidecars/repositories permission in Cyral.

Procedure#

When someone requests access to a data repository, the request will appear in your Slack access-requests channel. (Ask your Cyral administrator for the exact name of the channel).

For information about how on-demand access works in Cyral, see grant timed access to a user or group.

Once you approve, Cyral informs the person via the access-request channel in Slack, and they can log in to the repository using their SSO credentials.

Revoke an access grant#

If you approve a request in error, you can revoke it by clicking the Revoke button in the Slack channel. Alternatively, you can find and revoke sessions in the Cyral management console by going to the Data Repos section, clicking your repository's name, clicking the Identity to Account Map tab, finding the session you want to revoke, and clicking the trash can icon.

Cyral informs the user via the access-request channel in Slack that their access has been revoked. If the person has a current session in the data repository, that session ends and no new session can start until the user gets a new approval.

Manage on-demand access requests#

To manage on-demand access sessions go to the Data Repos section, clicking your repository's name, clicking the Identity to Account Map tab, and find the session you want to manage. Here, you can view and revoke current on-demand sessions, as well as enable and disable ephemeral access for this repository.

For data repository users: How to request repository access via Slack#

To request access to a data repository:

  1. In Slack, type /cyral list repos and find the name of the repo you want to use.
  2. Type /cyral request access repository-name duration where repository-name is the name of the repo, and duration is the length of access you want, expressed as a number followed by m, h, or d to indicate minutes, hours, or days. For example, /cyral request access patients-ephemeral 15m
  3. Watch Slack for an update. When an administrator approves your request, you'll get a direct message from the Cyral bot.
  4. Go to the repository portal and sign in. If your repository requires an SSO token, you can get it from the Cyral repository portal.