Nailing the Security Audit with RRCU

ConductorOne docs

Get started with on-call access control

Follow this guide to get started automating access controls for on-call rotations.

Before you begin

To complete this guide, you’ll need:

  • ConductorOne Super Administrator role
  • A PagerDuty, OpsGenie, or other on-call-enabled application

Estimated time: 15 minutes

Step 1: Integrate your on-call platform

Start by following the docs to integrate your on-call platform with ConductorOne:

Don’t see your on-call platform? Don’t stress. We’ll build a connector for it. Get in touch and tell us what you need.

Once connected, ConductorOne ingests the users and roles within the platform, and surfaces on-call rotations as resources.

Step 2: Create your on-call access profile

The on-call access profiles should include any apps, roles, permissions, or resources that are requestable by, or automatically granted to, a user who is on-call.

  1. Navigate to Access profiles and click New profile.

  2. Give the acces profile a name, such as “On-call”.

  3. Click Continue.

    Now we’ll add the entitlements that are either available for the user to request or automatically granted to the user.

  4. Click Manage entitlements.

  5. Use filters and the search field to locate the apps and entitlements that should be granted to the user, or available for them to request, when they are on-call.

  6. Click Save.

Step 3: Grant the access

You have two options here:

  • Make the entitlements in the access profiles requestable by users who are on-call
  • Automatically grant the entitlements in the access profiles to users who are on-call

If self-service requestable when on-call:

  1. Click Edit on the Self-service section of the page.

  2. Enable Allow self-service.

  3. Under Requestable by, select Specific groups.

  4. Select the on-call rotation or rotations that this access profile will be requestable by.

  5. Click Save.

If automatically granted when on-call:

  1. Click the Enrollment tab.

  2. Click Edit on the Access requests section of the page.

  3. Use the Request policy dropdown to select Auto approve.

  4. Click Save.

  5. Click Edit on the Auto-enrollment rule section of the page.

  6. Select the on-call rotation or rotations that this access profiles will be automatically assigned to.

  7. Click Save.

Important: Automated enrollment with auto-granted access will automatically grant and provision all the entitlements in the access profiles to users who meet the criteria.

Success!

Now whenever a user is on-call, they will either automatically have access to request the on-call access profiles entitlements or have those entitlements automatically provisioned, depending on the configuration you set up.