# Incident.io Integration Many organizations manage incident response software that contains groups of users that are on call at any given time. The Incident.io integration allows your StrongDM organization to connect directly to Incident.io using an API key and sync selected on-call schedules. Each time the integration syncs (every 15 minutes, or when triggered manually), it checks which Incident.io users are on call on the selected schedules, and if it matches those users to StrongDM users, it adds them to a group in StrongDM. Once those groups exist within StrongDM, admins can then grant them standing access to resources using roles. This would ensure that people who are on call from that schedule always have access to those resources through StrongDM. Admins can also define access workflows to allow those users who are on call to request access to resources for a limited time. Those requests can be configured to be approved either manually by selected approvers or automatically. Either way, the requests are logged and interactions audited. Access can be made even more granular through the use of [access policies](https://docs.strongdm.com/admin/access/policies). ## Prerequisites * Administrator permission level for your StrongDM user in order to create and configure the integration and grant access to the resulting groups. * An Incident.io user with appropriate privileges to create and manage API keys. ## Incident.io Setup The Incident.io integration uses an API key to sync on-call schedules with StrongDM. Follow these steps to configure Incident.io for StrongDM: 1. Log in to Incident.io as an administrator. 2. Go to **Settings > API Keys**. 3. Click **Create API Key**. 4. Enter a meaningful **Name** that is useful to your Incident.io administrators. 5. Ensure that the API key has permission to read schedules. 6. Create the key and copy the API key value immediately. You will use this API key in the StrongDM Admin UI when connecting the integration. {% hint style="warning" %} The API key is only shown at creation time, so store it securely. {% endhint %} ## StrongDM Setup in the Admin UI 1. In the StrongDM Admin UI, navigate to the **Integrations** page. 2. Under **Incident Management**, click **Connect** on the Incident.io item. 3. Fill in the required fields in the pop-out window.
FieldRequirementDescription
NameRequiredName for the integration, such as "StrongDM Integration"
API KeyRequiredAPI key for Incident.io
User Lookup AttributeRequiredEmail or Identity Alias depending on whether you are using StrongDM user emails to correlate with Incident.io users, or using StrongDM Identity Aliases to correlate to Incident.io users
Once completed, groups from Incident.io are imported. {% hint style="info" %} Note that if you wish to use **Identity Alias** for the **User Lookup Attribute**, you need to create an [Identity Set](https://docs.strongdm.com/admin/principals/identity-alias) for use with Incident.io. This Identity Set should contain Identity Aliases that exactly match each user's Incident.io ID (for example, `01AB23C4DEFGHIJ5KLMNOP6Q`). {% endhint %} ## Manage the Integration in the Admin UI You can manage the integration you just set up by navigating in the Admin UI to **Integrations**, clicking on the **Connected Services** tab, and selecting the Incident.io integration you want to manage. On the integrations page, the left sidebar shows whether the integration is successfully connected. You can also see general information about the Incident.io integration itself and a link to the documentation. ### On-Call
In the **On-Call** tab, you can see the schedules that are being synced by the integration. #### **Add Schedules** To add schedules to this list, select **Add incident.io Schedule** and then choose the schedules you wish to sync to StrongDM. Once schedules are selected, StrongDM automatically creates and manages a group for each selected schedule containing only the Incident.io users currently on call for that schedule. On-call users who do not match a StrongDM user are ignored. These groups can then be granted access through [Roles](https://docs.strongdm.com/admin/access/roles), [Access Workflows](https://docs.strongdm.com/admin/access/access-workflows) and [Approval Workflows](https://docs.strongdm.com/admin/access/approval-workflows). That access can be further limited based on context or actions through [Policies](https://docs.strongdm.com/admin/access/policies). **Example**: * Alice, Bob, Carlos, and Deanna are engineers that take on-call shifts on the Incident.io schedule named "TestSchedule." * Their StrongDM administrator opens the configuration for their existing Incident.io integration, goes to the **On-Call** tab, and selects **Add Schedules**. From the list of schedules that are found in Incident.io, the admin selects **TestSchedule** to add it to StrongDM. * The admin can navigate to **Principals** > **Groups** in StrongDM and view the **TestSchedule** group. This group is identified in the list as a Incident.io-managed group. If Alice, Bob, Carlos, and Deanna are existing StrongDM users with email addresses that match their Incident.io accounts, but only Alice and Bob are currently on-call in the **TestSchedule** in Incident.io, Alice and Bob should now also be listed in the **TestSchedule** group in StrongDM. When that shift ends, and Carlos and Deanna enter on-call status for that schedule, the StrongDM **TestSchedule** group should now have Carlos and Deanna in it. Alice and Bob would then be removed if they were no longer on-call. * The admin can open the group and select the **Roles** tab and add roles to the group, which gives members of the group access to whatever resources that the selected roles have access to. See the [roles](https://docs.strongdm.com/admin/access/roles "mention") page for more information. * For just-in-time access, the admin can add a new role with no standing permissions to the **TestSchedule** group, then set up an access workflow that grants the users of this particular role the ability to request access to various resources as needed while on call. This can even be approved automatically, with the request process serving only to provide an audit trail when users ask for and receive access. See the [access-workflows](https://docs.strongdm.com/admin/access/access-workflows "mention") page for more information. * As members rotate off of on-call duty, they are removed from the TestSchedule StrongDM group during the next integration sync (which runs automatically every 15 minutes or can be manually triggered by an admin by clicking the **Sync Now** button on the **On-Call** tab). #### **Remove Schedules** Schedules that are currently synced with StrongDM can be removed by selecting them in the list and then clicking the **Remove Schedules** button that appears in the bottom left of the screen when schedules are selected. ### Connection Settings The **Connection Settings** tabs contains the same settings that were configured in the [Admin UI Setup](#strongdm-setup-in-the-admin-ui) section. The **Name** is read-only here, but the **API Key** can be replaced if regenerated in Incident.io, and the **User Lookup Attribute** can be changed if you alter how you link StrongDM users and Incident.io users. ## Manage Access for Incident.io Groups Groups imported from Incident.io can be added to Roles like any other group or featured in access workflows enabling various on-call Incident.io groups to gain access. See the following sections for information about how to further manipulate access with Access Workflows, Approval Workflows, Policies, and Roles. * [access-workflows](https://docs.strongdm.com/admin/access/access-workflows "mention") * [approval-workflows](https://docs.strongdm.com/admin/access/approval-workflows "mention") * [policies](https://docs.strongdm.com/admin/access/policies "mention") * [roles](https://docs.strongdm.com/admin/access/roles "mention") ## Troubleshooting * **A user does not appear in the group**: * Confirm that the user exists in StrongDM. * Confirm that the user's email matches their email in Incident.io exactly (or that their Identity Alias for the selected Identity set matches their Incident.io ID exactly, if using Identity Aliases for user matching). * Confirm that the user is currently on-call in Incident.io. * **Schedules don’t show up**: Confirm that API key has permission to read schedules * **On-call membership doesn't show recent changes**: Wait (up to 15 minutes) or trigger a manual sync by clicking the **Sync Now** button on the **On-Call** tab. * **Integration stopped syncing after updating keys in Incident.io**: Update the **API Key** field in StrongDM under **Connection Settings** with the new API key. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/deployment/integrations/incidentio.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.