# Grant Temporary Access with a Hubot Chatbot

If you are using a Hubot chatbot to automate common activities, you can integrate with the `sdm` Linux binary to handle common administrative tasks. This guide shows how to add a Hubot command to grant temporary access to datasources and servers. In this guide, we use the Heroku deployment method; modify as needed if you're using a different deployment type.

### Setup

1. Set up a Hubot chatbot according to the directions on the [Hubot site](https://hubot.github.com/docs/deploying/heroku).
2. Once the setup is done, copy the \[Linux binary[Linux Installation Guide](https://app.gitbook.com/s/HaY8OFbXUreWEF61MhKm/client/linux "mention") into the `bin/` directory in your Hubot tree.
3. Create an [admin token](https://docs.strongdm.com/admin/principals/admin-tokens) in the Admin UI with the following permissions:
   * datasource:grant
   * datasource:list
   * user:assign
   * user:list
4. Add two environment variables to your Hubot:

   ```bash
   heroku config:set SDM_HOME=/app
   heroku config:set SDM_ADMIN_TOKEN=<admin token here>
   ```
5. Add an SDM script to `scripts/`. Here is a barebones example that will grant access to datasources for one hour.

   ```javascript
   module.exports = (robot) ->
   robot.hear /access to (.*)/i, (res) ->
   target = res.match[1]
   email = res.envelope.user.email_address
   res.reply "Granting #{email} access to '#{target}' for 1 hour"
   spawn('sdm', ['admin','users','grant-temporary','-d','1h',target,email])
   ```
6. Deploy the changes with `git push heroku master`
7. Test by telling the bot `Grant me access to datasource`. It should respond with `Granting <email> access to 'datasource' for 1 hour`

### Enhancements

There are a number of ways to improve your Hubot's StrongDM integration. Here are a few examples:

1. Ensure the datasource/server requested actually exists by having the bot run `sdm admin datasources list -j` which will output a JSON-formatted list of datasources, and `sdm admin servers list -j` for SSH/RDP.
2. Add additional sanitization and error checking.
3. Ensure (through your own systems) that the requester is authorized to perform temporary grants of this nature.