Skip to main content

Schedule repository access for on-call users

On-call engineers and staff often need access to production data and other repositories, but the sensitive nature of these repositories means that each person's access grant should remain open only during their on-call rotation.

You can automate on-call access grants by linking Cyral with your incident management system. When you do this, you'll combine authentication from your identity platform with scheduling from your incident management system and repository access enforcement from Cyral.

Prerequisites

Create an SSO mapping tied to your team's on-call schedule

  1. In the Data Repos page of the Cyral control plane UI, click the name of the repository whose access you wish to manage. Click the Identity to Account Map tab, and click the plus sign.

  2. Choose Group as the Identity Type, and in the Identity field, specify the name of the SSO group that contains your on-call team. Alternatively, you may choose User and specify an SSO user name. Use the group name or user name as it's written in your identity service.

  3. In the Local Account field, choose the name of the native repository account that your on-call team will use to connect, as configured in Cyral. (For details, see SSO authentication for your users.)

  4. In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.

  5. In the on-call section, click Restrict access to on-call hours and choose the name of the incident management system integration you saved in Cyral. For setup details, see the incident response system integration instructions.

  6. Click Create.

Your on-call access control setup for this repository is complete. You can check whether on-call access control is active for any repository by clicking the Data Repos page, clicking the name of the repository, and clicking the Identity to Account Map tab. For each user and group on the repository, the Authorization Policy column shows whether an on-call management system has been set up to limit access.

How on-call users connect to a repository

On-call users can connect to configured repositories during their on-call rotation:

  1. Navigate to the Cyral access portal, or click the Your Access Token button at the top of the Cyral control plane UI.

  2. Find your repository in the list and click the Show connection commands button.

    note

    If you don't see the repository you're looking for, click the Request access to a data repository button and choose the name of the repository and the local account (native account in the repository) you wish to use to access it. Specify a desired Duration of access and click Submit.

  3. A dialog appears showing connection information for your repository. Use the copy button to copy the connection string or URI that's appropriate for your client. Note that when you connect to a data repository through Cyral, you'll use its sidecar endpoint address instead of the data repository's native address.

    tip

    If you work at the command line, you can use Cyral's CLI token retriever for SSO. See CLI Token retriever for SSO.

See the repo connection instructions for more details on finding and connecting to repositories.