How It Works

Access Manager is a custom full stack application built by the GitLab Business Technology team ("IT") that provides a user interface ("UI") for team members, managers, access approvers, audit reviewers, and IT administrators to centrally approve and manage role-based access to the directory of tech stack applications ("SaaS providers").

Access Manager has back-end automation that uses the API for each SaaS provider to automate user account and role provisioning (after approval) and has scheduled deprovisioning of user accounts based on expiration or offboarding date.

There are several additional features for streamlining access/audit reviews and compliance reporting using the UI, API, or CSV exports.

In other words, the functionality of the application focuses on the automation and auditability of the lifecycle of Identity and Access Management ("IAM") and Role Based Access Control ("RBAC") for team members and our tech stack applications.

It is important to distinguish that Access Manager automates the provisioning process for SaaS Provider systems behind the scenes, and users still use Okta as our single sign-on identity provider. For SaaS Providers that do not support Okta authentication, Access Manager uses the API to provision a local authentication username and password that is automatically deprovisioned when the team member access expires or is offboarded.

Features and Functionality

The scope of functionality in Access Manager is focused on these features to improve our business processes and efficiency.

  1. Directory and Relationships - Database relationship mapping for users, groups, roles, applications, and application permission roles
  2. Profile Mapping - Auto association of group memberships based on Okta/HRIS metadata.
  3. Access Approvals - Approval flows for requesting access to a role
  4. Access Provisioning - Action flows for provisioning IAM users or role mappings
  5. API Integration - API connection to most tech stack applications to perform automated IAM provisioning.
  6. Scheduled Access Review - Approval flows for reviewing (auditing) access after preconfigured duration (customizable per role).
  7. Automated Deprovisioning - Scheduled expiration dates for access removal based on employment or contract end date that trigger Action Flows for deprovisioming IAM users or roles.
  8. Comprehensive Logging - Logging and auditability of all approval and action flow transactions.
  9. Audit Reports - Easy to generate reports for security compliance to perform reviews of least privilege and access across multiple filter criteria.
  10. Slack and Email Notifications - Slack bot with red and green button questions for improved user experience and efficiency for approval transactions. Email confirmations of transactions for multi-factor notification and approver searchability.

Access Manager Lifecycle

Common Workflows

Application Architecture

End User Experience

Manager and Approver Experience

#