All checks were successful
CI / verify (push) Successful in 2m33s
Add canonical operations/security/access/feature docs and fix path integrity to improve onboarding and incident readiness.
45 lines
1.6 KiB
Markdown
45 lines
1.6 KiB
Markdown
# Access and Permissions
|
|
|
|
This document defines the least-privilege access model for CBDDC environments.
|
|
|
|
## Roles
|
|
|
|
| Role | Typical Permissions | Approval Required |
|
|
|------|---------------------|-------------------|
|
|
| Runtime Operator | Read health/logs, restart service, run incident checks | Team lead or on-call manager |
|
|
| Deployment Engineer | Deploy approved releases, update runtime configuration | Change approval for production |
|
|
| Security Administrator | Manage secrets, rotate tokens, review access | Security approval |
|
|
| Maintainer | Modify CBDDC source/docs, merge reviewed changes | Pull request review |
|
|
|
|
## Least-Privilege Rules
|
|
|
|
- Grant access by role, not by individual preference.
|
|
- Use environment-specific credentials and scoped service accounts.
|
|
- Do not share production credentials across environments.
|
|
- Remove elevated access promptly after incident or change window.
|
|
|
|
## Approval Flow
|
|
|
|
1. Request access with role, environment, and business reason.
|
|
2. Approver validates least-privilege scope.
|
|
3. Access is granted with expiration date when applicable.
|
|
4. Grant/revoke events are logged for auditability.
|
|
|
|
## Periodic Access Review
|
|
|
|
- Review active privileged access at least quarterly.
|
|
- Remove dormant or unowned accounts immediately.
|
|
- Validate that emergency access accounts are controlled and monitored.
|
|
|
|
## Secret Handling
|
|
|
|
- Store `AuthToken`, connection strings, and credentials in approved secret stores.
|
|
- Never commit secrets to source control.
|
|
- Rotate secrets after incidents and on scheduled cadence.
|
|
|
|
## Related Documents
|
|
|
|
- [Security](security.md)
|
|
- [Runbook](runbook.md)
|
|
- [Production Hardening](production-hardening.md)
|