Access Management

[TBD]

Outcome

• A flow for requesting permissions is defined and available to everyone in the organization
• Each tool has a clear owner that can approve or deny access requests
• A review/approval process is in place, with the owners of the tool being requested to approve
• A playbook/guide is created on how to review and accept (or not) the access request
• There's a clear definition of the tools and roles per tool that can be requested and for what
• Granting access to a tool is automated when possible
• Privileged access requests are reviewed by a security team
• A periodic access request review to the tools is in place to ensure permissions are up to date.

Metrics

• Users with more accesses
• Users with more privileged accesses
• Users with more access requests denied
• Tools with more access requests requested
• Tools with more privileged access requests requested
• Percentage of automated flows for permission granting

Tools & Resources

• Access - Tool for access requests & management (Free)
• RepoKid - Tool to help maintain least privilege permissions in AWS (Free)
• Opan - Tool for access requests & management (Paid)

Further Reading

• Airbnb’s Approach to Access Management at Scale
• Access: A New Portal For Managing Internal Authorization
• Access approvals considered harmful