GitLab Access Manager is a custom built full stack application built by the GitLab IT Engineering team that provides a user interface ("UI") for team members, managers, access approvers, audit reviewers, and IT administrators to centrally approve and manage role-based access to the directory of tech stack applications ("SaaS providers").
In FY21-Q4, we launched the GitLab Sandbox Cloud, powered by HackyStack to automate the provisioning of AWS acccounts, AWS IAM users, GCP projects, and GCP users. This has allowed us to automate a large portion of our AWS and GCP access requests.
In FY22-Q3, we launched the initial technical discovery and custom development prototype of GitLab Access Manager that will replace access request issues with progressive milestones throughout FY23. All remaining manual provisioning will include a streamlined custom web UI and API integration with all of our tech stack applications for user and role provisioning.
This project is deprecated.
You can track the real-time progress in GitLab Access Manager epics and issues.
The GitLab Access Manager documentation draft is available at https://docs.access.gitlabenvironment.cloud for internal education and security compliance review.
The application is in the early stages of design and development. Please follow
#gitlab-access-manager in Slack for real-time updates.
This project is deprecated.
Access Manager has back-end automation that uses the API for each SaaS provider to automate user account and role provisioning (after approval) and has scheduled deprovisioning of user accounts based on expiration or offboarding date.
There are several additional features for streamlining access/audit reviews and compliance reporting using the UI, API, or CSV exports.
In other words, the functionality of the application focuses on the automation and auditability of the lifecycle of Identity and Access Management ("IAM") and Role Based Access Control ("RBAC") for team members and our tech stack applications.
It is important to distinguish that Access Manager automates the provisioning process for SaaS Provider systems behind the scenes, and users still use Okta as our single sign-on identity provider. For SaaS Providers that do not support Okta authentication, Access Manager uses the API to provision a local authentication username and password that is automatically deprovisioned when the team member access expires or is offboarded.
TLDR: It takes 4 "people months" per month to do access requests. Team members and contractors are waiting several days to get applications permissioned. Auditing is manual. Offboarding from applications is manual and time consuming for multiple teams.
TLDR: Custom application built by IT Engineering to automate the lifecycle of Identity and Access Management ("IAM") and Role Based Access Control ("RBAC"). Will improve team member experience across the processes of: onboarding, access requests, audit, and offboarding for our vast technology stack.
This is an excerpt of the documentation that is only available to team members during early development.