GitLab Access Manager is a custom built full stack application built by the GitLab IT Engineering team that provides a user interface ("UI") for team members, managers, access approvers, audit reviewers, and IT administrators to centrally approve and manage role-based access to the directory of tech stack applications ("SaaS providers").
In FY21-Q4, we launched the GitLab Sandbox Cloud, powered by HackyStack to automate the provisioning of AWS acccounts, AWS IAM users, GCP projects, and GCP users. This has allowed us to automate a large portion of our AWS and GCP access requests.
In FY22-Q3, we launched the initial technical discovery and custom development prototype of GitLab Access Manager (codename "Project FastPass") that will replace access request issues with progressive milestones throughout FY23. All remaining manual provisioning will include a streamlined custom web UI and API integration with all of our tech stack applications for user and role provisioning.
The GitLab Access Manager documentation draft is available at https://docs.access.gitlabenvironment.cloud for internal education and security compliance review.
The application is in the early stages of design and development, however team members can view a WIP preview at https://glam-dev.gitlab.systems.
Access Manager has back-end automation that uses the API for each SaaS provider to automate user account and role provisioning (after approval) and has scheduled deprovisioning of user accounts based on expiration or offboarding date.
There are several additional features for streamlining access/audit reviews and compliance reporting using the UI, API, or CSV exports.
In other words, the functionality of the application focuses on the automation and auditability of the lifecycle of Identity and Access Management ("IAM") and Role Based Access Control ("RBAC") for team members and our tech stack applications.
It is important to distinguish that Access Manager automates the provisioning process for SaaS Provider systems behind the scenes, and users still use Okta as our single sign-on identity provider. For SaaS Providers that do not support Okta authentication, Access Manager uses the API to provision a local authentication username and password that is automatically deprovisioned when the team member access expires or is offboarded.