Access Requests (AR)
Access Requests are owned by the IT team, while onboarding, offboarding and internal transition requests are owned by the People Experience Team.
If you have any access requests related questions, please reach out to #it_help or the tool provisioner in Slack.
Access requests related pages
Need help?
- Please @ mention
@brmbl-io/business-technology/team-member-enablement
in the issue, with no particular SLA. - If your request is urgent, @ mention
it-help
in the #it_help channel in slack with a note on why it is urgent.
How do I choose which template to use?
Individual or Bulk Access Request
You can use this template to request access for individuals or multiple people, as long as all the people are requesting access to the same systems. Create multiple issues using this same template if multiple people require access to different systems. When access is being requested for multiple people who report to different managers but are part of the same department or division, approval can be obtained by the manager at the highest level; that is, the Director, Vice President, or Executive of the department or division._
{::options parse_block_html=“true” /}
Instructions: {: .panel-heading}
- Title the issue
Full Name, System(s), Role
using the details of the person requesting access information. If bulk access is being requested thenBulk Access, System(s), Role
Step 1. Personal Information
- Personal Information: Please provide a list of people who are requesting access. Include the relevant information.
- SSH Keys: Add the public ssh key only if needed for the type of access being requested.
Step 2. Access Request
- Remove or add lines for the systems you need access to. Make sure to follow the format from the template (also included below). Be as specific as possible with the access you are requesting by adding the role, vault, group, channel or project you are requesting access to.
- If administrative access is being granted, add the label admin-access. Request the least amount of access you need as per the least privilege review and explain why you need access in the rationale section.
- If the request involves access to systems owned by the Infrastructure team (according to the tech stack, mention @brmbl-io/infra/managers and ask them to approve by adding the ~InfrastructureApproved label.
- [ ] System name: Which vault, which group, which channel, which project, which role?
- Justification for this access: Please explain why this access is needed.
Step 3: Assign to Manager for approval
- If you are a manager requesting access for one of your reports, please skip to step 4.
- Assign the issue to your manager. When access is being requested for multiple people who report to different managers but are part of the same department or division, approval can be obtained by the manager at the highest level; that is, the Director, Vice President, or Executive of the department or division.
Step 4: Managers to do
- If you are the manager of this person, add the labels
AR-Approval::Manager Approved
andReadyForProvisioning
to the issue; if you are the one asking for access, then you have to assign to your manager for approval and they must add the labelsAR-Approval::Manager Approved
andready for provisioning
. - After approval, then YOU MUST assign the issue to the system provisioner listed in the tech stack.
Step 5: Provisioners to do
- Before provisioning, consider that team members should only be granted the minimum necessary access to perform their function. Determine whether the access level is necessary or if a lower access level would be sufficient.
- If the access level is adequate proceed with provisioning the account after verifying the AR-Approval::Manager Approved label is present.
- Under step 2, please check off the system you provisioned.
- If administrative access is being granted, add the label admin-access to this request so Security Operations knows who has admin access.
- Inform the user 2fa is required and they will be locked out if it is not immediately setup
Shared Account Access Request
Instructions: {: .panel-heading}
Prior to submitting this Issue Request
- Please review our Access Control Policy and Procedures to ensure that your request is in line with Bramble’s policies and procedures. If after review you feel that a shared account is still needed, complete submit the issue using the template. Note that systems with PCI data is not allowed shared accounts.
- Please note that shared account request(s) will need to be reviewed and approved by the Security Officer. An Exception Request will need to be logged for each user you are requesting to be added. Note that with an Exception Request the maximum exception length is 90 days (365 days for device exceptions only). After the Exception Length, you will be required to submit another Exception Request for review and approval.If the exception request is not logged, reviewed, and approved for an extension, note that the Shared Account will be disabled. Please refer to our Information Security Policy Exception handbook page for more information.
Instructions on how to submit this issue request
- Title issue “Shared Account Request, Role, System(s)” using your information.
- Fill out the
User Details
section and remove or add lines as needed. - Add lines for the system(s) you need access to so only the ones you want are left in the issue.
Do not check them off.
- Request the least amount of access you need as per the least privilege review and explain why you need access in the rationale section and name the role you are requesting. Be specific.
- If you are the manager of this person, add the labels
AR-Approval::Manager Approved
andready for provisioning
to the issue; if you are the one asking for access, then you have to assign to your manager for approval and they must add the labelsAR-Approval::Manager Approved
andready for provisioning
. - After approval, then YOU MUST assign the issue to the system provisioner listed in the tech stack.
- Close the issue when it’s complete.
Instructions and Guidance for IT for Shared Accounts
- Review the Shared Account Access Request and ensure that there is an Exception Request for each user that is being added to the shared account. Review the Exception Request and document in the Access Request issue the Exception Length. Ensure that the Exception Request has been reviewed and approved by Security prior to adding your approval or setting up the shared account.
- All shared accounts must be managed via GSuite. If 1password must be used (okta not technically possible), this needs to be outlined in the Access Request.
- If the shared account will be managed in GSuite - Set a review/reminder date in GSuite to review shared account access dependent on exception timeline and close issue.
- When notification is received from GSuite regarding timeline length nearing expiration, log a new Shared Account Access Request and assign to the Shared Account Owner to complete.
- If the shared account will be managed in 1Password - Add a Due date dependent on exception timeline and leave issue open.
- When notification is received from
brmbl.io
regarding timeline length nearing expiration, close existing issue and log a new Shared Account Access Request and assign to the Shared Account Owner to complete.
- When notification is received from
Access Change Request
Access Change Requests are logged when a team member no longer requires access to a currently provisioned system or no longer requires the same level of access (downgraded access from admin to user etc).
It is important to note that GSuite may not be a complete/accurate reflection of access provisioning and deprovisioning. Some applications may note be accessible via GSuite SSO, but users may still have the ability to access the systems directly.
What this means is:
- A Bramble Team member gets transferred to a different role.
- The team member’s profile in Gusto is changed.
- A profile change is also made in the team member’s GSuite profile accordingly.
- This, in turn, results in the team member getting assigned to new applications based on their new department and role.
- Simultaneously all old applications that are not relevant to their new role should get revoked/unassigned.
While some application automation may take place, “true” system provisioning and deprovisioning will still need to be manually completed within the impacted systems via an Access Change Request.
Slack, Google Groups, 1Password Vaults or Groups Access Requests
- Title issue “Full Name - System - Role” (ex: Laura Croft Google Group: adventurer)
- Remove or add rows for the access you need.
- Assign to your manager to get approval by label if this request is for (they must apply labels
AR-Approval::Manager Approved
andReadyForProvisioning
:- access to a 1Password vault or group
- admin access
- access to a slack group for a non-internal person, including shared Slack channels
- Please note if a non-internal person has been removed from a slack channel and is requesting access again they will need a new access request and manager approval
- Close the issue when it’s complete.
Working on Access Requests
Department Access Request Boards
- If you need additional labels or have suggestions for improving the process until we can fully automate, please open an issue.
- ARs are auto-assigned and auto-labeled when possible by department. In some cases, there are multiple provisioners per tool. If a template cannot be auto-assigned, Business Technology will provide a board where the provisioners can review their department’s issues by label (ie
dept::to do
. It is up to the department to manage the workflow on who works the issues to completion. - Moving an issue from one column to another will remove the first label (per the column header) and add the second label. Please use caution when moving issues between columns.
- Departments can check their outstanding access request issues by viewing their board below.
Adding Access Request Process for a new item in the Tech Stack
If you need to initiate an Access Request process for a new item in the tech stack:
- Confirm the tool is added to the tech stack
- Confirm a team member is included as the
provisioner
deprovisioner
- Document the requirement to submit an Access Request in any relevant handbook pages