CorpSec Systems and Tech Stack

The Corporate Security department provides configuration management engineering and tech support helpdesk services for team members and temporary service providers (aka contractors, vendors, etc.) for the company-wide systems that we manage. The systems directory provides a list of all of our systems with quick reference links to administration runbooks, end user documentation, issue templates, mentionable groups, and tags that are used in GitLab epics, issues, and merge requests.

Cross-Department System Owners

As GitLab has grown organically, several departments and functional groups have their own System Administrators (“System Owners”) that handle day-to-day management of the tech stack applications that are specific to that department or functional group, within the framework of organization-wide compliance, infrastructure, and security best practices. Each tech stack application at GitLab has a System Owner that is the DRI for handling the implementation and day-to-day operational support for the team members that utilize that application (in their department or functional group). This has an added benefit of preventing the traditional IT department from being a bottleneck and allows each department to self-service as part of GitLab’s efficiency for the right group subvalue.

CorpSec Systems Directory

The Corporate Security department provides configuration management engineering and tech support helpdesk services for team members and temporary service providers (aka contractors, vendors, etc.) for the company-wide systems that we manage.

System (Handbook Page)	User Guides and Issues	System Owners
1Password	Create Vault Add User to Vault Remove User from Vault Engineering Issue Groups Passkey Guide Setup Guide Vaults	ARs / Issues / Epics Administration Runbooks `corpsys-1password` @gitlab-com/corpsys/1password `@corpsysadmins-1password` `#it_help` USER PASS ADMIN PASS ADMIN APP ROLE
Access Control (accessctl) `access.gitlab.systems` Available in FY25-Q3	Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-accessctl` @gitlab-com/corpsys/accessctl `@corpsysadmins-accessctl` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Amazon Web Services (billing) Cost Explorer and invoices across all orgs	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-billing` @gitlab-com/corpsys/aws-billing `@corpsysadmins-aws-billing` `#security-corpsec-infra` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Amazon Web Services (services) `x6953` Organization `x0347 legacy-top` `x4183 legacy-prod` `x8738 sirt` See handbook page for all accounts	Create Account for Service/Workload User and Role Management Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-services` @gitlab-com/corpsys/aws-services `@corpsysadmins-aws-services` `#security-corpsec-infra` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Amazon Web Services (sandbox) `x3027` Organization	Create My AWS Account Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-sandbox` @gitlab-com/corpsys/aws-sandbox `@corpsysadmins-aws-sandbox` `#sandbox-cloud-questions` USER 1PASS USER APP ROLE ADMIN SSO ADMIN APP ROLE
Amazon Web Services (systems) `x6658` Organization Secure Accounts for CorpSec, InfraSec, SIRT	Sysadmin Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-systems` @gitlab-com/corpsys/aws-systems `@corpsysadmins-aws-systems` `#security-corpsec-infra` ADMIN SSO ADMIN APP ROLE
Amazon Web Services (dedicated-dev) `x3675` Organization	Create My AWS Account Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-dedicated-dev` @gitlab-com/gl-security/corp/aws-dedicated-dev `@corpsysadmins-aws-dedicated-dev` `#g_dedicated-team` USER 1PASS USER APP ROLE ADMIN SSO ADMIN APP ROLE
Amazon Web Services (dedicated-prd) `x0475` Organization	Sysadmin Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-dedicated-prd` @gitlab-com/corpsys/aws-dedicated-prd `@corpsysadmins-aws-dedicated-prd` `#g_dedicated-team` ADMIN SSO ADMIN APP ROLE
Amazon Web Services (dedicated-pubsec) `x9885` Organization	Sysadmin Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-aws-dedicated-pubsec` @gitlab-com/corpsys/aws-dedicated-pubsec `@corpsysadmins-aws-dedicated-pubsec` `#g_dedicated-us-pubsec` PUBSEC ADMIN SSO
Azure (Sandbox)	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-azure` @gitlab-com/corpsys/azure `@corpsysadmins-azure` `#it_help` USER 1PASS ADMIN 1PASS ADMIN APP ROLE
Domain Names	Purchase Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-domains` @gitlab-com/corpsys/domains `@corpsysadmins-domains` `#security-corpsec-infra` ADMIN SSO ADMIN APP ROLE
DNS Records	Update Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-dns` @gitlab-com/corpsys/dns `@corpsysadmins-dns` `#security-corpsec-infra` USER MR ADMIN MR ADMIN SSO
DriveStrike	Engineering Issue	Issues / Epics Administration Runbooks `corpsys-drivestrike` @gitlab-com/corpsys/drivestrike `@corpsysadmins-drivestrike` `#it_help` ADMIN SSO
GitLab (com) `gitlab.com`	Create Group Update Group Deprecate Group Create Project Update Project Deprecate Project Add User to Group/Project Remove User from Group/Project Service Account Request License for My Work Account License for My Personal Account License for Demo/Internal Group Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gitlab-com` @gitlab-com/corpsys/gitlab-com `@corpsysadmins-gitlab-com` `#it_help` `#production_engineering` USER 1PASS/SSO ADMIN 1PASS/SSO ADMIN APP ROLE
GitLab (ops) `ops.gitlab.net`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gitlab-ops` @gitlab-com/corpsys/gitlab-ops `@corpsysadmins-gitlab-ops` `#infrastructure_lounge` `#production_engineering` USER 1PASS/SSO ADMIN 1PASS/SSO ADMIN APP ROLE
GitLab (dev) `dev.gitlab.org`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gitlab-dev` @gitlab-com/corpsys/gitlab-dev `@corpsysadmins-gitlab-dev` `#it_help` `#production_engineering` USER 1PASS/SSO ADMIN 1PASS/SSO ADMIN APP ROLE
GitLab (stg) `staging.gitlab.com`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gitlab-stg` @gitlab-com/corpsys/gitlab-stg `@corpsysadmins-gitlab-stg` `#it_help` `#production_engineering` USER 1PASS/SSO ADMIN 1PASS/SSO ADMIN APP ROLE
GitLab (cfg) `cfg.gitlab.systems`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gitlab-cfg` @gitlab-com/corpsys/gitlab-cfg `@corpsysadmins-gitlab-cfg` `#it_help` `#security-corpsec-infra` USER SSO ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (Billing)	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-billing` @gitlab-com/corpsys/gcp-billing `@corpsysadmins-gcp-billing` `#cloud-finops` `#security-corpsec-infra` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (com) `gitlab.com`	Create Project for Service/Workload User and Role Management Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-com` @gitlab-com/corpsys/gcp-com `@corpsysadmins-gcp-com` `#infrastructure_lounge` `#production_engineering` `#security-corpsec-infra` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (sandbox) `gitlabsandbox.cloud`	Create My GCP Project Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-sandbox` @gitlab-com/corpsys/gcp-sandbox `@corpsysadmins-gcp-sandbox` `#sandbox-cloud-questions` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (systems) `gitlab.systems`	Sysadmin Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-systems` @gitlab-com/corpsys/gcp-systems `@corpsysadmins-gcp-systems` `#security-corpsec-infra` ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (cells-dev) `gitlab-cells.dev`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-cells-dev` @gitlab-com/corpsys/gcp-cells-dev `@corpsysadmins-gcp-cells-dev` `#production_engineering` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (cells-prd) `gitlab-cells.com`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-cells-prd` @gitlab-com/corpsys/gcp-cells-prd `@corpsysadmins-gcp-cells-prd` `#production_engineering` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (dedicated-dev) `gitlab-private.org`	Create My GCP Project Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-dedicated-dev` @gitlab-com/corpsys/gcp-dedicated-dev `@corpsysadmins-gcp-dedicated-dev` `#g_dedicated-team` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Cloud Platform (dedicated-prd) `gitlab-dedicated.com`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-gcp-dedicated-prd` @gitlab-com/corpsys/gcp-dedicated-prd `@corpsysadmins-gcp-dedicated-prd` `#g_dedicated-team` USER SSO USER APP ROLE ADMIN SSO ADMIN APP ROLE
Google Apps (Workspace)	Authorize/Create App Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-google-app` @gitlab-com/corpsys/google-app `@corpsysadmins-google-app` `#it_help` ADMIN SSO ADMIN SSO ROLE
Google Calendar	Engineering Issue Delegation Guide	ARs / Issues / Epics Administration Runbooks `corpsys-google-cal` @gitlab-com/corpsys/google-cal `@corpsysadmins-google-cal` `#it_help` USER SSO ADMIN SSO ADMIN APP ROLE
Google Drive (Docs, Sheets, Slides)	Create or Update Drive Add or Remove Users Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-google-drive` @gitlab-com/corpsys/google-drive `@corpsysadmins-google-drive` `#it_help` USER SSO USER APP GROUP ADMIN SSO ADMIN APP ROLE
Google Workspace Groups (Mailing Lists)	Create or Update Group Add or Remove Users	ARs / Issues / Epics Administration Runbooks `corpsys-google-group` @gitlab-com/corpsys/google-group `@corpsysadmins-google-group` `#it_help` USER SSO USER APP GROUP ADMIN SSO ADMIN APP ROLE
Google Workspace Org Config	Change Management Issue Engineering Issue Service Account Request Sysadmin Access Request	ARs / Issues / Epics Administration Runbooks `corpsys-google-org` @gitlab-com/corpsys/google-org `@corpsysadmins-google-org` `#it_help` ADMIN SSO ADMIN APP ROLE
Jamf MDM `gitlab.jamfcloud.com`	Laptop Setup Instructions Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-jamf` @gitlab-com/corpsys/jamf `@corpsysadmins-jamf` `#it_help` ADMIN SSO ADMIN APP ROLE
Linux (OS)	Laptop Setup Instructions Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-linux` @gitlab-com/corpsys/linux `@corpsysadmins-linux` `#it_help`
macOS (OS)	Engineering Issue Onboarding Hardware Ordering Guide Refresh/Replace Guide Repair Guide Wipe (Factory Reset) Guide Apple macOS Setup Guide Onboarding Software Setup Guide Security Configuration Standards Apple ID for Work Backups Disk Encryption Firewall Hostnames and Usernames iCloud Drive Locking When Unattended Password Management Personal Use Remote Management (MDM and EDR) Software Updates Touch ID (Biometric Passwords and 2FA) Web Browsers Wireless Networks and VPN	Issues / Epics Administration Runbooks `corpsys-macos` @gitlab-com/corpsys/macos `@corpsysadmins-macos` `#it_help`
Nira (Google Drive)	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-nira` @gitlab-com/corpsys/nira `@corpsysadmins-nira` `#it_help` USER SSO ADMIN SSO ADMIN APP ROLE
NordLayer VPN	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-vpn` @gitlab-com/corpsys/vpn `@corpsysadmins-vpn` `#it_help` USER SSO ADMIN SSO
Okta Applications `gitlab.okta.com`	New Application (Vendor) Setup Access Request Guide Open an Access Request Engineering Issue New Application Request Update Application Request Deprecate Application Request	ARs / Issues / Epics Administration Runbooks `corpsys-okta-app` @gitlab-com/gl-security/corp/svc/ar @gitlab-com/corpsys/okta-apps `@corpsysadmins-okta-apps` `#it_help` `#security-corpsec-identity` USER SSO USER SSO GROUP ADMIN SSO ADMIN APP ROLE
Okta Groups (for App Assignment) `gitlab.okta.com`	Access Request Guide Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-okta-group` @gitlab-com/gl-security/corp/svc/ar @gitlab-com/corpsys/okta-groups `@corpsysadmins-okta-groups` `#it_help` USER SSO GROUP ADMIN SSO ADMIN APP ROLE
Okta Org Configuration and Policies `gitlab.okta.com`	Change Management Issue Engineering Issue Service Account Request Sysadmin Access Request	ARs / Issues / Epics Administration Runbooks `corpsys-okta-org` @gitlab-com/corpsys/okta-org `@corpsysadmins-okta-org` `#security-corpsec-identity` USER SSO USER SSO GROUP ADMIN SSO ADMIN APP ROLE
Okta SSO and Users `gitlab.okta.com`	2FA and Password Lockout Guide Access Request Guide Open an Access Request Android Setup Guide iOS (iPhone/iPad) Setup Guide Linux Setup Guide macOS Setup Guide Passkey 2FA Setup Guide Touch ID 2FA Setup Guide YubiKey 2FA Setup Guide Provisioning Architecture Frequently Asked Questions (FAQ) Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-okta-user` @gitlab-com/corpsys/okta-users `@corpsysadmins-okta-users` `#it_help` USER SSO ADMIN SSO ADMIN APP ROLE
Okta Workflows `gitlab.okta.com`	Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-okta-flow` @gitlab-com/corpsys/okta-flows `@corpsysadmins-okta-flows` `#security-corpsec-identity` ADMIN SSO ADMIN APP ROLE
Sandbox Cloud (HackyStack) `gitlabsandbox.cloud`	Self Service Guide Engineering Issue	Issues / Epics Administration Runbooks `corpsys-sandbox-cloud` @gitlab-com/corpsys/sandbox-cloud `@corpsysadmins-sandbox-cloud` `#sandbox-cloud-questions` USER SSO ADMIN SSH
SentinelOne	Sysadmin Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-sentinelone` @gitlab-com/corpsys/sentinelone `@corpsysadmins-sentinelone` `#it_help` ADMIN SSO ADMIN APP ROLE
Slack `gitlab.enterprise.slack.com`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-slack` @gitlab-com/corpsys/slack `@corpsysadmins-slack` `#it_help` USER SSO USER APP ADMIN ROLE
YubiKey	Order a Key (Slack `/yubikey`) Engineering Issue	Issues / Epics Administration Runbooks `corpsys-yubikey` @gitlab-com/corpsys/yubikey `@corpsysadmins-yubikey` `#it_help`
Zoom `gitlab.zoom.us`	Open an Access Request Engineering Issue	ARs / Issues / Epics Administration Runbooks `corpsys-zoom` @gitlab-com/corpsys/zoom `@corpsysadmins-zoom` `#it_help` USER SSO USER APP ADMIN ROLE

1Password

This is a placeholder page. Please see the links below for any child pages that exist.

Access Check (accesschk)

This is a placeholder page. Please see the links below for any child pages that exist.

Access Control (access.gitlab.systems)

This is a placeholder page. Please see the links below for any child pages that exist.

Amazon Web Services (AWS)

This is a placeholder page. Please see the links below for any child pages that exist.

Apple macOS

This is a placeholder page. Please see the links below for any child pages that exist.

Azure

This is a placeholder page. Please see the links below for any child pages that exist.

Demo Systems

This is a placeholder page. Please see the Customer Success Demo Systems handbook page.

GitLab Product Administration for Internal Team Members and Temporary Service Providers

This is a placeholder page. Please see the links below for any child pages that exist.

Google

Google is considered a platform and the various features and functionality are on their own pages. Google Apps Google Calendar Google Cloud Platform (GCP) Google Docs and Drive Google Groups Google Mail Google Users Google Workspace (Organization)

HackyStack (Sandbox Cloud)

This is a placeholder page. Please see the Sandbox Cloud handbook page.

Jamf MDM

This is a placeholder page. Please see the links below for any child pages that exist.

Laptop VPN for Public Networks and System Administration

Overview NordLayer is our supported VPN (Virtual Private Network) platform for GitLab Team Members. The use of NordLayer is optional, however it is recommended when working on guest networks or public Wi-Fi. In other words, you should connect to the VPN to secure your laptop’s traffic anytime that you’re not at home. That could be at a co-working location, an airport, a coffee shop or on a guest network at a customers office.

Linux Desktop OS

This is a placeholder page. Please see the links below for any child pages that exist.

Microsoft Windows

This is a placeholder page. Please see the links below for any child pages that exist.

Nira (Google Drive Security)

This is a placeholder page. Please see the links below for any child pages that exist.

Okta Workforce Identity and SSO

Overview Okta is an Identity and Single Sign On solution for SaaS applications and Cloud platforms that is used for accessing most applications at GitLab. This allows us to consolidate authentication and authorization to applications we use daily through a single dashboard and ensure a consistent, secure and auditable login experience for all our GitLab team members. Quick Links 👀 Okta Access Requests Okta Applications 👀 New Application Setup Guide Okta Groups Okta Users 👀 Setup Guide Android Setup Guide Apple iOS (iPhone/iPad) Setup Guide Linux Setup Guide 👀 macOS Setup Guide 👀 Passkey Setup Guide 👀 Touch ID 2FA Setup Guide YubiKey 2FA Setup Guide Authentication 😱 Lockouts and Password and 2FA Resets ❓ Frequently Asked Questions (FAQ) Provisioning Architecture Okta Verify (Device Trust) Android Setup Guide Apple iOS Setup Guide Apple macOS Setup Guide Okta Workflows (No Code Automation) Vendor Docs - Okta Documentation Benefits Application Owners Automated user provisioning and group management Ability to transparently manage shared credentials to web applications without disclosing the credentials to users Centralized access for users, making it easy to add, remove and change the application profile without the need to update all users.

SentinelOne Endpoint Detection and Response (EDR)

Overview We use SentinelOne for endpoint (team member laptop) detection and response (EDR) at GitLab. All macOS, Windows and Linux devices used by GitLab Team Members for the purposes of fulfilling the responsibilities of their role as a GitLab Team Member are required have the SentinelOne EDR agent installed and functioning. The use of a Windows endpoint requires a specific business reason and an approved exception as the use of a Windows endpoint is prohibited.

Slack

This is a placeholder page. Please see the links below for any child pages that exist.

Training Systems

This is a placeholder page. Please see the links below for any child pages that exist.

Yubikey User Guide

A YubiKey provides two factor authentication (2FA) and cryptographic key storage capabilities that are used by Engineering, Product, and Security teams at GitLab.

Zoom

This is a placeholder page. Please see the links below for any child pages that exist.

Last modified July 1, 2024: Add Corporate Security handbook pages (b684cdaf)

View page source - Edit this page - please contribute.

Creative Commons License