Access Control
Problem We're Solving
Access sprawl: Not knowing who has access to what systems, inconsistent permissions, time-consuming access requests.
Solution
Keycloak as Single Source of Truth + automated synchronization to all systems + self-service access for most resources.
How It Works
Keycloak (Identity)
↓
├─→ GitHub (auto-sync via SCIM/API)
├─→ Netbird VPN (OIDC integration)
├─→ DigitalOcean (SSO)
├─→ Rocket.Chat (SSO)
├─→ Docusaurus (SSO)
└─→ SSH Access (via Ansible sync)
Result: One place to manage identity, all systems stay in sync automatically.
Access Tiers
Tier 1: Automatic (No Approval)
Granted automatically when you join the company:
- Keycloak account + MFA
- Rocket.Chat access
- Docusaurus (this documentation)
- Netbird VPN (development networks)
- GitHub organization (read access to all repos)
- Email and collaboration tools
Tier 2: Self-Service (Manager Approval via Emoji)
Request via Rocket.Chat bot, manager approves in < 5 min:
- Write access to team repositories
- Staging environment access
- Production read-only access
- Team-specific tool access
Tier 3: Elevated Access (Requires Justification)
Requires manager approval + security notification:
- Production write access (time-limited)
- Database admin access
- Infrastructure admin (DigitalOcean, Ansible)
- Secrets management (Vault)
Tier 4: Emergency Break-Glass
Used only during critical incidents:
- Root/sudo access to production
- Direct database access
- Requires incident ticket + automatic revocation after 4 hours
Key Principles
- Least Privilege: Start with minimum necessary access, add more as needed
- Just-in-Time: Elevated access is time-bound and expires automatically
- Self-Service Default: Most access requests don't need human approval
- Everything Logged: All access and access changes are audited
- Regular Reviews: Quarterly automated access certification
Access Policies
- Self-Service Access Guide - How to request and grant access
- Keycloak Integration - How Keycloak is configured
- GitHub Team Management - Repository access control
- Netbird VPN Access - Network access policies
- DigitalOcean RBAC - Cloud infrastructure access
- SSH Access Management - Server access control
- Access Reviews - Quarterly access certification
Quick Actions
Need access to something?
# In Rocket.Chat
/access request team=backend-team resource=production-read
# Manager gets notification, approves with 👍 emoji
# Access granted within 5 minutes
Grant access to someone?
# In Rocket.Chat #access-requests channel
# React with 👍 to approve
# React with 👎 to deny
Emergency access during incident?
# In Rocket.Chat #incidents channel
/access emergency resource=prod-db-write incident=INC-2025-001
# Granted for 4 hours, auto-revoked
Access Metrics
We track:
- Time to provision access (target: < 5 minutes for Tier 2)
- % of access requests that are self-service (target: > 80%)
- Inactive accounts (auto-disable after 30 days of inactivity)
- Access review completion rate (target: 100% quarterly)
Dashboard: [Access Metrics] (link to monitoring dashboard)