Access Management Policy
This is a Controlled Document
In line with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.Purpose
This policy is intended to outline the access management controls implemented by GitLab.
Scope
These controls apply to information and information processing systems at the application and operating system layers, including networks and network services.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Security Assurance | Responsible for implementing and executing this policy |
| Business or System Owners | Alignment to this policy and any related standards |
| Security Assurance Management (Code Owners) | Responsible for approving significant changes and exceptions to this policy |
| Team Members | Responsible for adhering to the requirements of this policy |
Policy
Access requests and reviews
Access requests are opened for all new or changing access. (AC-2)
Access requests are approved prior to making access changes. (AC-2)
Access requests and reviews are documented. (AC-2, AC-6(7))
An exception process exists for access requests.
Access revocation
Access is deprovisioned upon cessation of employment. (AC-2(3))
Job transfers
Access is deprovisioned or provisioned upon job transfer, as appropriate for the transfer. (AC-2, AC-2(3))
Access reviews
Access reviews are performed to confirm existing access. (AC-6(7))
Access Management Standard
For further details on GitLab’s access management processes, please review the Access Management Standard in the Internal Handbook.
Exceptions
Exceptions to this policy will be tracked as per the Security and Technology Policy Exception Management Process.
af33af46)
