# PagerDuty Integration Many organizations manage incident response software that contains groups of users that are on call at any given time. The PagerDuty integration allows your StrongDM organization to connect directly to PagerDuty using an OAuth app and sync selected on-call schedules. Each time the integration syncs (every 15 minutes, or when triggered manually), it checks which PagerDuty users are on call on the selected schedules, and if it matches those users to StrongDM users, it adds them to a group in StrongDM. Once those groups exist within StrongDM, admins can then grant them standing access to resources using roles. This would ensure that people who are on call from that schedule always have access to those resources through StrongDM. Admins can also define access workflows to allow those users who are on call to request access to resources for a limited time. Those requests can be configured to be approved either manually by selected approvers or automatically. Either way, the requests are logged and interactions audited. Access can be made even more granular through the use of [access policies](https://docs.strongdm.com/admin/access/policies). ## Prerequisites * Administrator permission level for your StrongDM user in order to create and configure the integration and grant access to the resulting groups. * A PagerDuty user with appropriate privileges to create and manage OAuth App integrations. ## PagerDuty Setup 1. Log in to PagerDuty as an admin. 2. Go to **Integrations** > **App Registration** > **My Apps** and then select **New App**. 3. Fill in a **Name** and **Description** with values that are useful to your PagerDuty administrators. 4. Select **OAuth 2.0**. In the app configuration screen, choose scoped OAuth if prompted, and then select the scopes you want to grant to the integration. For the StrongDM integration to function effectively, the following scopes are required (adjusting the scopes later may require reauthorizing the app): 1. `oncalls.read` 2. `schedules.read` 3. `users.read` 5. Save the app. After saving, PagerDuty shows you the Client ID and Client Secret. {% hint style="warning" %} You need both values for StrongDM integration setup. The client secret is only shown at creation time, so store it securely. {% endhint %} ## StrongDM Setup in the Admin UI 1. In the StrongDM Admin UI, navigate to the **Integrations** page. 2. Under **Incident Management**, click **Connect** on the PagerDuty item. 3. Fill in the required fields in the pop-out window.
FieldRequirementDescription
NameRequiredName for the OAuth app, such as "StrongDM Integration"
Instance URLRequiredYour organization's PagerDuty URL; this must be a full URL, including https://, and is parsed for your organization's PagerDuty subdomain and region, if any (for example, https://your-subdomain.pagerduty.com or https://your-subdomain.eu.pagerduty.com)
Client IDRequiredClient ID of the OAuth app used for the StrongDM integration
Client SecretRequiredClient Secret of the OAuth app used for the StrongDM integration; shown only once at creation
User Lookup AttributeRequiredEmail or Identity Alias depending on whether you are using StrongDM user emails to correlate with PagerDuty users, or using StrongDM Identity Aliases to correlate to PagerDuty users
Once completed, groups from PagerDuty are imported. {% hint style="info" %} Note that if you wish to use **Identity Alias** for the **User Lookup Attribute**, you need to create an [Identity Set](https://docs.strongdm.com/admin/principals/identity-alias) for use with PagerDuty. This Identity Set should contain Identity Aliases that exactly match each user's PagerDuty ID (for example, `PXPGF42`). {% endhint %} ## Manage the Integration in the Admin UI You can manage the integration you just set up by navigating in the Admin UI to **Integrations**, clicking on the **Connected Services** tab, and selecting the Incident.io integration you want to manage. On the integrations page, the left sidebar shows whether the integration is successfully connected. You can also see general information about the Incident.io integration itself and a link to the documentation. ### On-Call
In the **On-Call** tab, you can see the schedules that are being synced by the integration. #### **Add Schedules** To add schedules to this list, select **Add Schedules** and then choose the schedules you wish to sync to StrongDM. Once schedules are selected, StrongDM automatically creates and manages a group for each selected schedule containing only the PagerDuty users currently on call for that schedule. On-call users who do not match a StrongDM user are ignored. These groups can then be granted access through [Roles](https://docs.strongdm.com/admin/access/roles), [Access Workflows](https://docs.strongdm.com/admin/access/access-workflows) and [Approval Workflows](https://docs.strongdm.com/admin/access/approval-workflows). That access can be further limited based on context or actions through [Policies](https://docs.strongdm.com/admin/access/policies). **Example**: * Alice, Bob, Carlos, and Deanna are engineers that take on-call shifts on the PagerDuty schedule named "TestSchedule." * Their StrongDM administrator opens the configuration for their existing PagerDuty integration, goes to the **On-Call** tab, and selects **Add Schedules**. From the list of schedules that are found in PagerDuty, the admin selects **TestSchedule** to add it to StrongDM. * The admin can navigate to **Principals** > **Groups** in StrongDM and view the **TestSchedule** group. This group is identified in the list as a PagerDuty-managed group. If Alice, Bob, Carlos, and Deanna are existing StrongDM users with email addresses that match their PagerDuty accounts, but only Alice and Bob are currently on-call in the **TestSchedule** in PagerDuty, Alice and Bob should now also be listed in the **TestSchedule** group in StrongDM. When that shift ends, and Carlos and Deanna enter on-call status for that schedule, the StrongDM **TestSchedule** group should now have Carlos and Deanna in it. Alice and Bob would then be removed if they were no longer on-call. * The admin can open the group and select the **Roles** tab and add roles to the group, which gives members of the group access to whatever resources that the selected roles have access to. See the [roles](https://docs.strongdm.com/admin/access/roles "mention") page for more information. * For just-in-time access, the admin can add a new role with no standing permissions to the **TestSchedule** group, then set up an access workflow that grants the users of this particular role the ability to request access to various resources as needed while on call. This can even be approved automatically, with the request process serving only to provide an audit trail when users ask for and receive access. See the [access-workflows](https://docs.strongdm.com/admin/access/access-workflows "mention") page for more information. * As members rotate off of on-call duty, they are removed from the TestSchedule StrongDM group during the next integration sync (which runs automatically every 15 minutes or can be manually triggered by an admin by clicking the **Sync Now** button on the **On-Call** tab). #### **Remove Schedules** Schedules that are currently synced with StrongDM can be removed by selecting them in the list and then clicking the **Remove Schedules** button that appears in the bottom left of the screen when schedules are selected. ### Connection Settings The **Connection Settings** tab contains the same settings that were configured in the [Admin UI Setup](#strongdm-setup-in-the-admin-ui) section. The **Name** and **Instance URL** are read-only here, but the **Client ID** and **Client Secret** can be replaced if regenerated at the OAuth app in PagerDuty, and the **User Lookup Attribute** can be changed if you alter how you link StrongDM users and PagerDuty users. ## Manage Access for PagerDuty Groups Groups imported from PagerDuty can be added to Roles like any other group or featured in access workflows enabling various on-call PagerDuty groups to gain access. See the following sections for information about how to further manipulate access with Access Workflows, Approval Workflows, Policies, and Roles. * [access-workflows](https://docs.strongdm.com/admin/access/access-workflows "mention") * [approval-workflows](https://docs.strongdm.com/admin/access/approval-workflows "mention") * [policies](https://docs.strongdm.com/admin/access/policies "mention") * [roles](https://docs.strongdm.com/admin/access/roles "mention") ## Troubleshooting * **A user does not appear in the group**: * Confirm that the user exists in StrongDM. * Confirm that the user's email matches their email in PagerDuty exactly (or that their Identity Alias for the selected Identity set matches their PagerDuty ID exactly, if using Identity Aliases for user matching). * Confirm that the user is currently on-call in PagerDuty. * **Schedules don’t show up**: Confirm that the OAuth app has the `schedules.read` scope. * **On-call membership doesn't show recent changes**: Wait (up to 15 minutes) or trigger a manual sync by clicking the **Sync Now** button on the **On-Call** tab. * **Integration stopped syncing after rotating secrets in the PagerDuty OAuth app**: Update the **Client Secret** field in StrongDM under **Connection Settings** with the new client secret. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/deployment/integrations/pagerduty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.