# PagerDuty

Apono enables you to automate and control access during incidents and on-call shifts by dynamically granting permissions based on PagerDuty events and assignments. This ensures that only the right engineers have timely, just-in-time access to critical systems when it’s needed most.

With Apono’s PagerDuty integration, you can enrich access flows and approvals with incident and shift context to streamline access during active responses:

* **Access Per Ticket** – Enrich access flows with ticket- and shift-based context to ensure that every request aligns with an active PagerDuty incident or assignment.
* **Access Justification** – Automatically include justification details from assigned PagerDuty tickets for auditability and compliance.
* **Delegated Approvals** – Allow on-call developers to approve access for teammates, such as DBAs or other engineers, who are assisting in resolving an incident.
* **Automatic On-Call Access** – Enable shift members to gain automatically approved, time-limited access to production systems to fix issues quickly and safely.

For example, when an on-call engineer acknowledges an incident in PagerDuty, Apono can [automatically verify the acknowledgment and grant temporary access to production resources](#usage). This workflow ensures that only authorized responders actively engaged in resolving an incident can access critical systems, maintaining both speed and security.

***

### Integrate PagerDuty

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-005293e3c88527c000e2a50eda42aaddc2a7d347%2Fimage%20(4).png?alt=media" alt="" width="563"><figcaption><p>PagerDuty tile and PagerDuty connection screen</p></figcaption></figure>

Follow these steps to complete the integration:

1. On the [**Catalog**](https://app.apono.io/catalog?search=pagerduty) tab, click **PagerDuty**. The **Add Integration** page appears.
2. Click **Connect**. The PagerDuty connection screen appears.
3. Sign in to your PagerDuty account to authorize Apono:
   1. Enter your PagerDuty account **Email** address.
   2. Click **Next**. The **Password** field appears.
   3. Enter your PagerDuty account **Password**.
   4. Click **Sign In**.

***

### Usage

Now that the integration is complete, you can create an incident-based access flow to streamline granting access while maintaining security. With this solution, after an on-call engineer acknowledges a PagerDuty incident, the same engineer can request resource access.

The workflow follows these steps:

1. The on-call engineer acknowledges a PagerDuty incident.
2. The same engineer requests resource access through Apono (web portal, Slack, CLI, or Teams).
3. A custom webhook in the access flow verifies the PagerDuty acknowledgment.
4. Once verified, Apono grants access to the required resources.
5. Access automatically expires after a set time or can be manually revoked.

This solution helps you ensure that only the right people get access when it’s needed and improves response times while maintaining compliance. It includes two key components:

* [Webhook](#configure-a-webhook) that verifies incident acknowledgment
* [Access flow](#create-a-self-serve-access-flow) that manages resource permissions

{% hint style="warning" %}
You **must** have Apono [permissions](https://docs.apono.io/docs/user-administration/role-based-access-control-rbac-reference#permissions) to configure webhooks and access flows:

* **Manage Webhooks**: Admin, Power User, or Deployment
* **Manage Access Flows**: Admin or Deployment
  {% endhint %}

#### Configure a webhook

This webhook verifies that the grantee is the on-call engineer who acknowledged the PagerDuty incident.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdAglsL_MqVgMGei0zzaOYXkSLstx2sdTmivUTQLDvI-_gq69rNQA8pB2GvFEdVowDbKgDBnv4V5YrUmmgFpHjdl9s5ZZ9KxaKS63WSXu0MhtU47Asv2lrFXu7FDRmsRwoc_xnNiA?key=iQONkyvZ1k2xSnFgCxCcIbwi" alt="" width="563"><figcaption><p>Add Webhook page</p></figcaption></figure>

Follow these steps to configure an Apono webhook:

1. On the [**Webhooks**](https://app.apono.io/webhooks) tab, click **Add Webhook**. The **Add Webhook** page appears.
2. Click **Manual**.
3. Enter a unique, alphanumeric, user-friendly **Manual Webhook Name** for identifying this webhook.
4. Click the **Status** toggle to **Active**.
5. From the **Type** dropdown menu, select **Integration Action**.
6. From the **Integration** dropdown menu, select your PagerDuty integration.
7. From the **Actions** dropdown menu, select **list\_pagerduty\_incidents**.
8. In the **Body Template** field, enter the following JSON payload.

```json
{
  "user_email": "{{data.requester.email}}",
  "status": "acknowledged"
}
```

9. Add a response validation:
   1. In the **Response Validators** section, click **+ Add**.
   2. In the **Json Path** field, enter *$.incidents\[0].status*.
   3. In the **Expected Values** field, type *acknowledged* and press Enter.
10. Click **Save Webhook**.

The new webhook appears in the **Webhooks** table. Active webhooks are marked with a green dot. Inactive webhooks are marked with a white dot.

#### Create a Self Serve access flow

This access flow controls how on-call engineers request and receive temporary access during a PagerDuty incident. It uses the webhook you created to ensure access is granted only to engineers who have acknowledged the incident.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXefEheT-0hBJvewFKkjt3XbphuWEd322Fx3Sfo12PSEdT1LWXJHiaNJw6686pB6GGDFAqwVob-RiG5P3EzOu3KOoLV1jkF1SvJAHSEMo5SuLA61mkCxcmjKj1ot6cepSqOHITvN?key=iQONkyvZ1k2xSnFgCxCcIbwi" alt="" width="563"><figcaption><p>Create Access Flow page</p></figcaption></figure>

Follow these steps to create the Apono Self Serve access flow for PagerDuty:

1. On the **Access Flows** tab, [define who can request resources](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows#define-permitted-requestors) through a Self Serve access flow.

{% hint style="info" %}
In steps **7-9** of [Define permitted requestors](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows#define-permitted-requestors), select your PagerDuty group.
{% endhint %}

2. [Define the resource](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows#define-the-resource) to grant access to.
3. Set the access duration and approval process.

{% hint style="info" %}
In steps **3-5** of [Set up custom approval](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows#set-up-custom-approval), select **Custom Approval** and the PagerDuty webhook you created in [Configure a webhook](#configure-a-webhook).
{% endhint %}