Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PagerDuty role automation: what manual access reviews miss


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Automating PagerDuty role management, user provisioning, offboarding, team assignment, and incident documentation through predefined workflows and API access keys can reduce manual effort while preserving audit trails, according to Zluri. The governance issue is not automation itself but whether identity and access decisions still depend on human-paced review cycles that cannot keep up with lifecycle changes.

NHIMG editorial — based on content published by Zluri: Automation How To Get More Out Of PagerDuty By Integrating With Zluri?

By the numbers:

Questions worth separating out

Q: How should security teams automate PagerDuty access without losing governance control?

A: Security teams should connect PagerDuty changes to authoritative joiner, mover, and leaver events, then constrain the workflow to approved role mappings.

Q: Why does PagerDuty role automation still require IAM oversight?

A: Because automation changes the execution method, not the governance requirement.

Q: What breaks when app provisioning is automated but offboarding is not?

A: Former users can retain active access after they have left, moved teams, or changed responsibilities.

Practitioner guidance

  • Bind PagerDuty access changes to authoritative lifecycle events Trigger add, move, and remove actions from joiner, mover, and leaver signals in the identity source of truth instead of relying on manual ticket handling.
  • Classify the PagerDuty API key as a privileged NHI credential Store the integration key in a controlled secret store, limit its scope to the minimum required workflow actions, and review who can rotate or revoke it.
  • Reconcile role assignments against current job function Run recurring checks to compare PagerDuty entitlements with current department, location, and operational responsibilities so stale roles are removed quickly.

What's in the full article

Zluri's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step PagerDuty workflow configuration for provisioning, offboarding, and role assignment.
  • In-app action examples that show how the automation runs for joiners, movers, and leavers.
  • API access key setup guidance for connecting PagerDuty to the workflow engine.
  • Practical examples of how incident documentation and team assignment are automated in the source article.

👉 Read Zluri's guide to PagerDuty role automation and lifecycle access control →

PagerDuty role automation: what manual access reviews miss?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Manual access governance breaks when role changes are faster than review cycles. This article is really about the gap between identity change and entitlement change. PagerDuty access is being treated as a lifecycle problem, but the manual version depends on humans noticing role shifts, validating them, and correcting access after the fact. That model fails whenever joiner, mover, and leaver events occur faster than the review process can keep up. The implication is that access governance has to move from clerical verification to event-driven entitlement control.

A few things that frame the scale:

  • Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

A question worth separating out:

Q: Who should own the API key used for identity workflow automation?

A: Ownership should sit with the team responsible for privileged access and secret lifecycle management, not with whichever administrator first created the integration. The key should have a named owner, a rotation schedule, clear revocation authority, and a documented purpose so it can be treated like any other high-value NHI credential.

👉 Read our full editorial: PagerDuty role automation exposes the IAM gap in manual access



   
ReplyQuote
Share: