PagerDuty Integration

Many organizations manage incident response software that contains groups of users that are on call at any given time. The PagerDuty integration allows your StrongDM organization to connect directly to PagerDuty using an OAuth app and sync selected on-call schedules. Each time the integration syncs (every 15 minutes, or when triggered manually), it checks which PagerDuty users are on call on the selected schedules, and if it matches those users to StrongDM users, it adds them to a group in StrongDM.

Once those groups exist within StrongDM, admins can then grant them standing access to resources using roles. This would ensure that people who are on call from that schedule always have access to those resources through StrongDM. Admins can also define access workflows to allow those users who are on call to request access to resources for a limited time. Those requests can be configured to be approved either manually by selected approvers or automatically. Either way, the requests are logged and interactions audited.

Access can be made even more granular through the use of access policies.

Prerequisites

• Administrator permission level for your StrongDM user in order to create and configure the integration and grant access to the resulting groups.

• A PagerDuty user with appropriate privileges to create and manage OAuth App integrations.

PagerDuty Setup

1. Log in to PagerDuty as an admin.

2. Go to Integrations > App Registration > My Apps and then select New App.

3. Fill in a Name and Description with values that are useful to your PagerDuty administrators.

4. Select OAuth 2.0. In the app configuration screen, choose scoped OAuth if prompted, and then select the scopes you want to grant to the integration. For the StrongDM integration to function effectively, the following scopes are required (adjusting the scopes later may require reauthorizing the app):

   1. oncalls.read

   2. schedules.read

   3. users.read

5. Save the app. After saving, PagerDuty shows you the Client ID and Client Secret.

StrongDM Setup in the Admin UI

1. In the StrongDM Admin UI, navigate to the Integrations page.

2. Under Incident Response, click Connect on the PagerDuty item.

3. Fill in the required fields in the pop-out window.

Once completed, groups from PagerDuty are imported.

Manage the Integration in the Admin UI

You can manage the integration you just set up by navigating in the Admin UI to Integrations, then to Connected Services tab, and selecting the PagerDuty integration you want to manage. On the integration page, the left sidebar shows whether the integration is successfully connected. You can also see general information about the PagerDuty integration itself and a link to the documentation.

On-Call

In the On-Call tab, you can see the schedules that are being synced by the integration. To add schedules to this list, select Add Schedules and then choose the schedules you wish to sync to StrongDM. Once schedules are selected, StrongDM automatically creates and manages a group for each selected schedule containing only the PagerDuty users currently on call for that schedule. On-call users who do not match a StrongDM user are ignored. These groups can then be granted access through Roles, Access Workflows and Approval Workflows. That access can be further limited based on context or actions through Policies.

Example:

• Alice, Bob, Carlos, and Deanna are engineers that take on-call shifts on the PagerDuty schedule named "TestSchedule."

• Their StrongDM administrator opens the configuration for their existing PagerDuty integration, goes to the On-Call tab, and selects Add Schedules. From the list of schedules that are found in PagerDuty, the admin selects TestSchedule to add it to StrongDM.

• The admin can navigate to Principals > Groups in StrongDM and view the TestSchedule group. This group is identified in the list as a PagerDuty-managed group. If Alice, Bob, Carlos, and Deanna are existing StrongDM users with email addresses that match their PagerDuty accounts, but only Alice and Bob are currently on-call in the TestSchedule in PagerDuty, Alice and Bob should now also be listed in the TestSchedule group in StrongDM. When that shift ends, and Carlos and Deanna enter on-call status for that schedule, the StrongDM TestSchedule group should now have Carlos and Deanna in it. Alice and Bob would then be removed if they were no longer on-call.

• The admin can open the group and select the Roles tab and add roles to the group, which gives members of the group access to whatever resources that the selected roles have access to. See the Rolespage for more information.

• For just-in-time access, the admin can add a new role with no standing permissions to the TestSchedule group, then set up an access workflow that grants the users of this particular role the ability to request access to various resources as needed while on call. This can even be approved automatically, with the request process serving only to provide an audit trail when users ask for and receive access. See the Access Workflows page for more information.

• As members rotate off of on-call duty, they are removed from the TestSchedule StrongDM group during the next integration sync (which runs automatically every 15 minutes or can be manually triggered by an admin by clicking the Sync Now button on the On-Call tab).

Removing Schedules

Schedules that are currently synced with StrongDM can be removed by selecting them in the list and then clicking the Remove Schedules button that appears in the bottom left of the screen when schedules are selected.

Connection Settings

The Connection Settings tabs contains the same settings that were configured in the Admin UI Setup section. The Name and Instance URL are read-only here, but the Client ID and Client Secret can be replaced if regenerated at the OAuth app in PagerDuty, and the User Lookup Attribute can be changed if you alter how you link StrongDM users and PagerDuty users.

Manage Access for PagerDuty Groups

Groups imported from PagerDuty can be added to Roles like any other group or featured in access workflows enabling various on-call PagerDuty groups to gain access. See the following sections for information about how to further manipulate access with Access Workflows, Approval Workflows, Policies, and Roles.

• Access Workflows

• Approval Workflows

• Policies

• Roles

Troubleshooting

• A user does not appear in the group:

  • Confirm that the user exists in StrongDM.

  • Confirm that the user's email matches their email in PagerDuty exactly (or that their Identity Alias for the selected Identity set matches their PagerDuty ID exactly, if using Identity Aliases for user matching).

  • Confirm that the user is currently on-call in PagerDuty.

• Schedules don’t show up: Confirm that the OAuth app has the schedules.read scope.

• On-call membership doesn't show recent changes: Wait (up to 15 minutes) or trigger a manual sync by clicking the Sync Now button on the On-Call tab.

• Integration stopped syncing after rotating secrets in the PagerDuty OAuth app: Update the Client Secret field in StrongDM under Connection Settings with the new client secret.