Access Check (accesschk)

Access Check (accesschk) is a separate pipeline from Access Control (accessctl) that focuses on evidence collection of the current state of users and configuration for each compliance in-scope system. This pipeline automates the extract-transform-load (ETL) process for (e)xtracting/fetching data from the API, formatting/(t)ransforming it into a CSV and JSON datestamped file, and loading it into a GitLab repository for analysis and reference by audit and compliance users.

Not Live Yet

You are viewing a preview of documentation for the future state of GitLab Identity v3 (mid 2024). See the Access Management Policy for the GitLab Identity v2 current state with baseline entitlements and access requests. See the roadmap in the epics gantt chart.

Not the documentation you are looking for?

You are viewing the accesschk engineering deep-dive architecture for audit and compliance evidence collection. We have accessctl engineering architecture documentation for policy management and automated provisioning. We also have a getting started guide for auditors, change management, and tech stack application system owners.

Work in Progress

This page is a work-in-progress. Please check back later for up-to-date details.

CI/CD Pipeline Overview

graph LR

subgraph accesschk GitLab Repositories
direction LR
subgraph accesschk-evidence Repo
direction LR
end
end

subgraph accesschk GitLab CI/CD Pipeline Jobs
direction LR
subgraph Okta API
CI_AUDIT_OKTA_USER_JOB["Okta Users Job<br />chk:okta-users"]
CI_AUDIT_OKTA_APP_JOB["Okta Apps Job<br />chk:okta-apps"]
CI_AUDIT_OKTA_GROUP_JOB["Okta Groups Job<br />chk:okta-groups"]
CI_AUDIT_OKTA_POLICY_JOB["Okta Policies Job<br />chk:okta-policies"]
CI_AUDIT_OKTA_ADMIN_ROLES_JOB["Okta Admin Roles Job<br />chk:okta-admin-roles"]
CI_AUDIT_OKTA_SETTING_JOB["Okta Settings Job<br />chk:okta-settings"]
end
subgraph Google Workspace Directory API
CI_AUDIT_GOOGLE_USER_JOB["Google Users Job<br />chk:google-users"]
CI_AUDIT_GOOGLE_ADMIN_ROLES_JOB["Google Admin Roles Job<br />chk:google-admin-roles"]
CI_AUDIT_GOOGLE_GROUP_JOB["Google Groups Job<br />chk:google-groups"]
CI_AUDIT_GOOGLE_CHROME_JOB["Google Chrome Policies Job<br />chk:google-chrome"]
CI_AUDIT_GOOGLE_ORG_UNIT_JOB["Google Org Units Job<br />chk:google-org-units"]
end
subgraph Google Cloud Resource Manager and IAM API
CI_AUDIT_GCP_ORGS_JOB["Google Cloud Organizations Job<br />chk:gcp-organizations"]
CI_AUDIT_GCP_FOLDERS_JOB["Google Cloud Folders Job<br />chk:gcp-folders"]
CI_AUDIT_GCP_PROJECTS_JOB["Google Cloud Projects Job<br />chk:gcp-projects"]
CI_AUDIT_GCP_SERVICE_ACCOUNTS_JOB["Google Cloud Service Accounts Job<br />chk:gcp-service-accounts"]
CI_AUDIT_GCP_BILLING_ACCOUNTS_JOB["Google Cloud Billing Accounts Job<br />chk:gcp-billing-accounts"]
end
subgraph GitLab.com SaaS API
CI_AUDIT_GITLAB_SAAS_GROUP_JOB["GitLab SaaS Groups Job<br />chk:gitlab-saas-groups"]
CI_AUDIT_GITLAB_SAAS_PROJECTS_JOB["GitLab SaaS Projects Job<br />chk:gitlab-saas-projects"]
CI_AUDIT_GITLAB_SAAS_ADMIN_JOB["GitLab SaaS Admin Roles Job<br />chk:gitlab-saas-admins"]
end
subgraph GitLab Self-Managed Instance API
CI_AUDIT_GITLAB_SELF_GROUP_JOB["GitLab Self-Managed Groups Job<br />chk:gitlab-self-groups"]
CI_AUDIT_GITLAB_SELF_PROJECTS_JOB["GitLab Self-Managed Projects Job<br />chk:gitlab-self-projects"]
CI_AUDIT_GITLAB_SELF_ADMIN_JOB["GitLab Self-Managed Admin Roles Job<br />chk:gitlab-self-admins"]
end
end

Last modified January 17, 2024: Add Security Identity Engineering team handbook page (5752bfc0)

View page source - Edit this page - please contribute.