Skip to main content
Version: v2.x

Just-in-time access user guide

Connect your Slack account and Cyral account

Before you can perform actions with the Cyral app in Slack, you must connect your Slack user account to the account you use in Cyral. This allows the Cyral app to report on who's doing what and to check which database-related actions you're authorized to do. Both users and administrators need to do this.

To connect your account:

  1. From anywhere in Slack (for example in your personal channel) type /cyral connect to log in to your Cyral account:

  2. In your browser, Cyral shows a page where you can authorize the Cyral app, allowing it to see your profile information. Click Yes to authorize, and you'll see a notification in the browser and in Slack.


If you can't find the /cyral app in your Slack, make sure your Cyral or Slack administrator has installed the Cyral Slack app.

Cyral app commands in Slack

Once you've connected your Slack account to Cyral, you can use the app's commands from anywhere in Slack. Start by using the /cyral help command to show a list of commands:

List repositories and sidecars

  • Repositories: /cyral list repos
  • Sidecars: /cyral list sidecars

Request access

To request access:

  1. Type /cyral request to launch the dialog window.

  2. Provide the request details:

    • Data Repository is the name of the database

    • Local Account is the name of the database native account you'll use to connect.

    • Sensitive Resources lists the data resources (like tables or columns) you'd like to access. When a resource has a set-member structure, as in a table with columns, you'll have the option to choose individual members or the set. For example, if your sensitive resources are two columns in the table sales, namely the columns sales.prod_name and sales.sku, then the drop down will let you choose from sales.prod_name, sales.sku, and sales itself. If you request access to sales, you're requesting access to both sales.prod_name and sales.sku.

      The chatbot won't force you to make a selection here; follow your administrator's guidance and specify resources if required. Click on the field to expand the list, click on the names of the desired resources, and click outside the list to close it.

    • Access Duration is the length of time for which you want to have access, expressed as a number and a single-letter abbreviation: m for minutes, h for hours, or d for days.

    • Note is an optional message to the approver, telling them why you want access.

  3. Click Request Access to submit your request. You'll receive a response in chat when the administrator approves or denies it.


    If you can't find the table, column, or other data resource you're looking for, make sure your Cyral administrator has made it available through the chatbot.

  1. Await approval: Once you make the request, your database administrators get a notification in the Cyral app's Slack channel. Once they approve it, you'll get a direct message in Slack similar to this:

  2. Connect: Navigate to the Cyral Access Portal, and copy or click your login credentials there.

Approve a just-in-time request


  • You must be a Cyral administrator with at least the Modify sidecars/repositories permission in Cyral.
  • You must have the Cyral Slack app installed.


When someone requests access to a database, the request will appear in your Slack access-requests channel. (Ask your Cyral administrator for the exact name of the channel).

Once you approve, Cyral informs the person via the access-request channel in Slack, and they can log in to the database using their SSO credentials.

For information about how just-in-time access works in Cyral, see the overview.

Revoke a just-in-time access grant

If you approve a request in error, you can revoke it by clicking the Revoke button in the Slack channel.

Alternatively, you can find and revoke sessions in the Cyral management console by going to the Data Repos section, clicking your database's name, clicking the Identity to Account Map tab, finding the session you want to revoke, and clicking the trash can icon.

Cyral informs the user via the access-request channel in Slack that their access has been revoked. If the person has a current session in the database, that session ends and no new session can start until the user gets a new approval.

Manage just-in-time access requests


  • You must be a Cyral administrator with at least the Modify sidecars/repositories permission in Cyral.


To manage just-in-time access sessions, log in to the Cyral control plane UI with your web browser. Go to the Data Repos section, click your database's name, click the Identity to Account Map tab, and find the session you want to manage. Here, you can view and revoke current just-in-time sessions, as well as enable and disable ephemeral access for this database.