How to Automate On-Call Access Management with Opal and PagerDuty

Managing engineering permissions for on-call rotations is really hard

After speaking with many developer operations teams, we have learned that most companies struggle with on-call access management. Companies need to make the difficult trade-offs between security and agility.

Indexing on agility increases security risk

Not having the required permissions to triage urgent issues has forced many companies to provision engineers permanent admin access to production systems – often through birthright access. This significantly increases the risk of compromised engineers because they have privileged access all of the time – even when they don’t need it.

Indexing on security increases operational burden

On the other end of the spectrum, companies can choose to revoke all access to production systems.  Anyone who requires access must make a request, which will be manually triaged. Although this practice guarantees a much stronger security posture, it also greatly increases the operational overhead and can severely impact response times if there are any errors.

Opal and PagerDuty have partnered together to automate on-call access management

Opal and PagerDuty have partnered together to build a new approach. Revisiting the principles of least privilege – granting the right level of access to the right people for the right amount of time – Opal and PagerDuty have re-defined on-call access management to enable customers to adopt both security and agility.

In this blog post, we will break down “granting the right level of access to the right people for the right amount of time” in the old and new way.

Granting the right level of access

The Old Way

Engineers have full admin access (eksadmin or administratoraccess) as a result of being part of multiple Okta groups

The New Way

Using Opal native integrations, admins can bundle fine-grained resources into an Opal on-call group.

To the right people

The Old Way

Teams of engineers have access to production systems based on static job functions

The New Way

By integrating with specific PagerDuty schedules, Opal can grant privileged access based on dynamic needs, such as whether an engineer is on-call or not

For the Right Amount of Time

The Old Way

Engineers have permanent production access even if they do not need it

The New Way

Opal’s PagerDuty integration will grant privileged access to engineers when they are on-call and revoke it when they are off-call

About Opal

Opal is the unified identity platform for modern enterprises. Opal aggregates identity and access data to provide visibility and defense-in-depth infrastructure for mission-critical systems. Enterprises can discover anomalous identity risks with the product and remediate them in minutes. The world's best companies trust Opal to govern and adapt sensitive access.

Want to see it yourself? Contact sales@opal.dev or book a meeting here for a personalized demo.

About PagerDuty:

PagerDuty is the leading SaaS incident response platform. To learn more about the integration, PagerDuty and Opal have created documentation on the integration.