Intro: ChatOps
© 2026 Sonrai Security. All rights reserved.
Overview
Before ChatOps integration, receiving notifications and managing Permission on Demand (POD) requests often involved multiple tools. First, approvers would receive email notifications when Permissions on Demand requests were triggered. Then, they would use the Requests page in Cloud Permissions Firewall to view and act on POD requests.
ChatOps integration streamlines this process, allowing you to receive notifications and react immediately to Permissions on Demand (POD) requests from a single tools, using either Slack or Teams. ChatOps also makes proactive requests for just-in-time (JIT) access as easy as sending a chat message!
Configuring ChatOps doesn't prevent you from receiving email notifications or managing requests in the Sonrai Cloud Permissions Firewall app. Choose the method that works best for your team, whether that involves one method of communication or a combination of options!
ChatOps integration
ChatOps Addendum
A ChatOps Addendum is a customizable message automatically appended to supported ChatOps notifications. Configure this feature to give your users helpful context — such as which team to contact, an escalation email address, or guidance on why they are encountering a particular control.
When an addendum is configured, supported chat messages display a "Why Am I Seeing This?" prompt. Recipients can click it to view the full addendum message.
The addendum is included in most ChatOps notifications, with the following exceptions:
- Drift Notification
- Clawback Notification
- Shared Channel Notify
- Registration Success
Configure a ChatOps Addendum
- Open Settings and navigate to the Chat Ops tab.
- Enter your message in the ChatOps Addendum field. The field enforces a maximum of 1,200 characters.
- Click to save your changes.
Message Formatting
The addendum field supports the following types of formatting:
| Feature | Description | Slack | Teams |
|---|---|---|---|
| Hyperlinks | Plain URLs and email addresses automatically rendered as clickable links. | ✅ | ✅ |
| Markdown | Standard markdown support (headings, bold, italic, strikethrough, and links). | ✅ | ✅ |
| Mrkdwn | Slack's proprietary custom format for message blocks and formatting. | ✅ | ❌ |
| Mentions | User and Channel mentions. | ✅ | ❌ |
Refer to documentation for Slack or Teams to learn more about formatting message text.
To find a Slack user or channel ID, use Slack's developer tools or the Slack API.
For security, the following links are sanitized from addendum content:
- Links using schemes other than:
http,https, ormailto - Masked links that appear to point to one URL but redirect to another (e.g., a link labelled
https://example.comthat actually leads to a different site).
Alternate Identity Mapping for ChatOps Notifications
Many organizations use single sign-on (SSO) to simplify access across systems — with development environments, CRM platforms, and collaboration tools like Slack or Microsoft Teams all tied to a single identity. However, some cloud administrators may use a different account to manage their cloud platform, with elevated permissions compared to their standard SSO credentials.
If you log into Slack with your standard work identity, but access AWS with a different identity that provides additional permissions, then Permissions on Demand (POD) requests or just-in-time (JIT) access notifications will not reach you unless the two identities are linked. Identity Mapping resolves this mismatch.
How Identity Mapping Works
Identity Mapping uses a GraphQL query to add and configure a pond_upn_replace_key key, which specifies the field in AWS IAM Identity Center records where alternate ChatOps identities are stored. The alternate identity field should be an existing but unused field in the Identity Store User object (such as "Locale" or "Nickname").
Cloud Permissions Firewall then looks at this field when resolving POD and JIT requests, and ensures that request justifications are sent to the appropriate ChatOps user.
- If
pond_upn_replace_keydoes not exist or is set to the default value ("0"), then ChatOps notifications are handled as usual. - If
pond_upn_replace_keyspecifies a field, then Cloud Permissions Firewall checks that field for SSO users and uses the alternate address stored there to deliver ChatOps notifications.
Learn more about using Sonrai's GraphQL API Library.
Configure Identity Mapping
- To enable Identity Mapping, use the Explorer screen or Sonrai GraphQL API to perform the following update:
mutation setIdentityMapping {
CreateCPFConfig(
cpfConfig: {
key: "pond_upn_replace_key"
value: "$.user.<fieldname>"
defaultValue: "0"
}
) {
success
}
}
- Once enabled, populate the chosen field in AWS with alternate identities that your admin users will use for ChatOps login. For example, if using the Nickname field then an admin user might look something like this:
Once this feature is enabled, Cloud Permission Firewall will pick up the changes to your AWS user profiles within 24 hours and start routing POD and JIT requests to the specified identities.
To disable Identity Mapping and restore default behavior for notifications, do not remove the new fields. Instead, simply set the value of pond_upn_replace_key to zero ("0").
Verify Identity Mapping
Use this GraphQL query to verify that Identity Mapping is enabled:
query listconfigs {
CPFConfigs(where: { key: { op: EQ, value: "pond_upn_replace_key" } }) {
count
items {
key
value
defaultValue
}
}
}
Use this GraphQL query to check all identities for alternate mappings:
query checkIdentityMappings {
ListResourceSummaries(
where: {
serviceType: { op: EQ, value: "sso" }
type: { op: EQ, value: "SAML" }
}
) {
Identities: totalCount
items {
account
resourceId
lastUsedDate
name
identityMapping: metadata @jsonPath(path: "user.<fieldname>")
}
}
}