# Access and Permissions

This document defines the least-privilege access model for CBDDC environments.

## Roles

| Role | Typical Permissions | Approval Required |
|------|---------------------|-------------------|
| Runtime Operator | Read health/logs, restart service, run incident checks | Team lead or on-call manager |
| Deployment Engineer | Deploy approved releases, update runtime configuration | Change approval for production |
| Security Administrator | Manage secrets, rotate tokens, review access | Security approval |
| Maintainer | Modify CBDDC source/docs, merge reviewed changes | Pull request review |

## Least-Privilege Rules

- Grant access by role, not by individual preference.
- Use environment-specific credentials and scoped service accounts.
- Do not share production credentials across environments.
- Remove elevated access promptly after incident or change window.

## Approval Flow

1. Request access with role, environment, and business reason.
2. Approver validates least-privilege scope.
3. Access is granted with expiration date when applicable.
4. Grant/revoke events are logged for auditability.

## Periodic Access Review

- Review active privileged access at least quarterly.
- Remove dormant or unowned accounts immediately.
- Validate that emergency access accounts are controlled and monitored.

## Secret Handling

- Store `AuthToken`, connection strings, and credentials in approved secret stores.
- Never commit secrets to source control.
- Rotate secrets after incidents and on scheduled cadence.

## Related Documents

- [Security](security.md)
- [Runbook](runbook.md)
- [Production Hardening](production-hardening.md)