Skip to main content

Just-in-Time Access Request Plugins

Teleport Just-in-Time Access Requests allow users to receive temporary elevated privileges by seeking consent from one or more reviewers, depending on your configuration.

With Teleport's Access Request plugins, users can manage Access Requests from within your organization's existing messaging and project management solutions.

Access Request plugins are self-contained programs that connect to the Teleport Auth Service's gRPC API to listen for audit events relating to new or updated Access Requests. After processing an Access Request event, Access Request plugins interact with a third-party API (e.g., the Slack or PagerDuty APIs).

Enrolling Access Request plugins in Teleport Cloud

In Teleport Enterprise Cloud, Teleport manages Access Request plugins for you, and you can enroll Access Request plugins from the Teleport Web UI.

Visit the Teleport Web UI and click Access Management on the menu bar at the top of the screen.

On the left sidebar, click Enroll New Integration to visit the "Enroll New Integration" page:

Enroll an Access Request plugin

On the "Select Integration Type" menu, click the tile for your integration. You will see a page with instructions to set up the integration, as well as a form that you can use to configure the integration.

The following Access Request plugins are hosted on Teleport Cloud:

  • Discord
  • Jira
  • Mattermost
  • Opsgenie
  • PagerDuty
  • ServiceNow
  • Slack

Self-hosting Access Request plugins

You can host Teleport Access Request plugins yourself. Self-hosted Access Request plugins are the only way to manage Access Requests through a third-party communication platform if you are self-hosting Teleport. If you use Teleport Team or Teleport Enterprise Cloud, you can run self-hosted Access Request plugins for more control over configuration and architecture.

Access Request plugins can run within private networks that are isolated from the Teleport Auth Service. To access the Auth Service API, they connect to the Proxy Service, which establishes a reverse tunnel for the plugin to access the Auth Service.

You can run multiple instances of an Access Request plugin for high availability by deploying each instance in a separate availability zone. There is no need for additional configuration or load balancing, as plugins avoid creating duplicate requests to their third-party APIs.

Learn how to deploy and configure a plugin for your organization's communication workflows by reading our setup guides:

IntegrationTypeSetup Instructions
SlackMessagingSet up Slack
MattermostMessagingSet up Mattermost
Microsoft TeamsMessagingSet up Microsoft Teams
JiraProject BoardSet up Jira
PagerDutyScheduleSet up PagerDuty
EmailMessagingSet up email
DiscordMessagingSet up Discord
OpsGenieIncident ManagementSet up OpsGenie
ServiceNowWorkflowSet up ServiceNow

To read more about the architecture of an Access Request plugin, and start writing your own, read our Access Request plugin development guide.