PrivMan Webex Approval Bot

Approve or deny Privilege Manager elevation requests directly from Webex

Python Webex SDK AWS Fargate WebSockets Adaptive Cards

Architecture

The bot bridges Delinea Privilege Manager and Cisco Webex using a device websocket -- no public URL or inbound ports required.

Delinea Privilege Manager

Cloud or on-prem instance

↑↓ REST API (poll, approve, deny)

Webex Bot

Python / webexpythonsdk · AWS ECS Fargate

↑↓ Device WebSocket (no public URL needed)

Webex Room

Adaptive Cards with inline actions

Features

Inline Approve/Deny

Everything happens in the Webex card -- no context switching required

Duration Picker

Choose One Time, 15 min, 30 min, 1 hour, and more

Card Replacement

After action, the card is replaced with an "Approved by X" or "Denied by X" result

Proactive Messaging

Bot posts cards automatically when new requests arrive -- polls every 30 seconds

No Public URL

Uses Webex device websocket -- works behind firewalls with no inbound ports

Persistent Room State

Registered rooms survive app restarts via JSON-backed room store

Scheduled Auto-Approve

Automatically approve requests outside business hours with configurable schedules via chat commands

Tech Stack

Python 3.10+ Webex Python SDK WebSockets Adaptive Cards AWS ECS Fargate AWS SSM Parameter Store CloudWatch Docker Requests Boto3

Project Structure

privman-webex-bot/ ├── webex_bot_app/ # Webex bot │ ├── app.py # Entrypoint, event/action handlers, starts poller │ ├── cards.py # Adaptive Card builders │ ├── command_parser.py # Parse autoapprove chat commands │ ├── config.py # Environment variable config │ ├── room_store.py # Persist registered room IDs to JSON │ ├── schedule_store.py # SSM-backed auto-approval schedule │ ├── poller.py # Background polling + proactive card posting │ └── websocket_client.py # Webex device websocket listener ├── privman_client/ # PrivMan API client library │ ├── client.py # PrivManClient (auth, pending, approve, deny) │ ├── models.py # ApprovalRequest dataclass │ └── exceptions.py # Custom exceptions ├── Dockerfile # Container image for ECS Fargate deployment ├── task-definition.json # ECS Fargate task definition ├── requirements.txt # Python dependencies ├── rooms.json # Persisted registered room IDs ├── .env.example # Environment variable template └── .gitignore

Get Started

Create a Webex Bot

Go to developer.webex.com/my-apps, create a new Bot, and save the Bot Access Token.

Configure Environment

Copy .env.example to .env and fill in your Privilege Manager credentials and Webex bot token.

Install and Run

Install dependencies with pip install -r requirements.txt and start the bot with python -m webex_bot_app.app.

Register a Room

Add the bot to a Webex room and @mention it. The bot will register the room and start posting approval cards automatically.

Deploy to AWS (Optional)

Build the Docker image, push to ECR, and deploy on ECS Fargate for 24/7 operation at ~$9/month with CloudWatch logging.