--- name: access description: Manage system access provisioning, account creation, permissions, SSO setup, and access revocation for employees. Use when setting up new hire accounts, managing role-based access, handling access requests, or revoking access during offboarding. Triggers on phrases like "system access", "account setup", "permissions", "SSO", "access request", "login credentials", "distribution list", "channel access", "software license", "access revocation". --- # System Access & Account Provisioning Ensure employees have timely access to all systems and tools needed to do their job. ## Workflow 1. Trigger provisioning upon offer acceptance (new hires) or internal transfer approval. 2. Determine required access based on role, department, location, and job function. 3. Create accounts in all required systems (email, SSO, collaboration tools, SaaS apps). 4. Assign role-based permissions and add to appropriate groups/channels. 5. Send welcome email with login instructions and first-step guide. 6. Verify access working on Day 1 (automated check + employee confirmation). 7. Monitor access changes throughout employment (promotions, transfers, projects). 8. Revoke all access on offboarding (scheduled, not manual). ## Role-Based Access Matrix ``` ACCESS MATRIX — By Department ============================== ALL EMPLOYEES (baseline access): → Email (Google Workspace / Microsoft 365) → SSO (Okta / Azure AD) with MFA → Communication: Slack / Microsoft Teams → Calendar: Google Calendar / Outlook → HRIS: BambooHR / Workday (self-service) → Document storage: Google Drive / SharePoint (personal folder) → Knowledge base: Notion / Confluence (read access) → Expense app: Expensify / Concur ENGINEERING (additional): → Code repository: GitHub / GitLab → CI/CD: Jenkins / GitHub Actions / CircleCI → Cloud platforms: AWS / GCP / Azure (role-scoped) → Project management: Jira → Design tools: Figma (view access) → Monitoring: Datadog / PagerDuty → Internal developer portal SALES (additional): → CRM: Salesforce / HubSpot → Sales enablement: Gong / Outreach / Salesloft → Proposal tools: PandaDoc / DocuSign → Expense tracking: Expensify (elevated limits) → Calendar automation: Calendly MARKETING (additional): → Marketing automation: HubSpot / Marketo → Analytics: Google Analytics / Mixpanel → Design tools: Figma / Canva Pro → Social media: Sprout Social / Buffer → Content management: WordPress / Webflow FINANCE (additional): → ERP: NetSuite / QuickBooks → Accounting: Xero / Sage → Expense approval: Elevated approval limits → Banking: Company bank accounts (dual-control) → Tax filing software EXECUTIVE / LEADERSHIP (additional): → Board portal: Diligent / Nautilus → Financial dashboards: Tableau / Looker (executive views) → Executive email alias → Travel booking: Concur / TripActions → Signature management: DocuSign (admin) HR (additional): → HRIS: Full admin access → Payroll system: Gusto / ADP (admin) → Benefits admin platform → Performance management: Lattice / 15Five (admin) → Background check platform: Checkr → ATS: Full access → Document management: Personnel files (restricted) ``` ## Provisioning Process ``` NEW HIRE ACCESS PROVISIONING ============================= Step 1: Account Creation (T-5 business days) → Create email account: firstname.lastname@company.com → Provision SSO identity with default password + MFA enrollment prompt → Create calendar, set business hours and time zone → Add to company-wide distribution lists Step 2: Tool Access (T-3 business days) → Provision role-specific SaaS accounts (automated via SSO integration) → Assign licenses (track license pool — alert if low) → Create personal storage folders with appropriate permissions → Add to team/department Slack channels Step 3: Security Configuration (T-2 business days) → MFA enrollment (push notification preferred, backup codes provided) → Acceptable use policy acknowledgment → Data security training assignment (due within 7 days) → Device enrollment (MDM profile for company devices) Step 4: Verification (Day 1) → Automated test: Can employee log in to SSO and access key tools? → IT sends Day 1 welcome email with login URL, support contact, quick-start guide → Employee confirms access via simple form or Slack check-in → Any failed access: IT priority ticket, resolved within 4 hours Step 5: Post-Provisioning Audit (Week 2) → HR/IT review: Were all required access items provisioned? → Employee survey: "Did you have all the tools you needed on Day 1?" → Resolve any gaps → Close provisioning ticket ``` ## Access Request Process (Ongoing) ``` ACCESS REQUEST WORKFLOW ======================== When employees need access beyond their baseline: 1. Submit request via HRIS self-service portal: → System/tool name → Justification (project, role need) → Urgency level → Duration (permanent / temporary with end date) 2. Auto-routing: → Standard tools (on access list for role): Auto-approved → Elevated access (admin, financial, sensitive data): Manager → HR → IT approval → Temporary access: Manager approval only, auto-revoke at end date 3. Provisioning: → IT provisions within 1 business day (standard) or 4 hours (urgent) → Confirmation email sent to employee and manager 4. Audit trail: → All requests logged with timestamp, approvers, and rationale → Quarterly access review: Managers confirm direct reports still need each access → Annual access certification: Department heads certify all access in their department ``` ## Access Revocation (Offboarding) ``` ACCESS REVOCATION PROTOCOL =========================== Trigger: Offboarding workflow initiated Scheduled revocation (voluntary): → Set for 5:01 PM on last working day → Staged revocation: 1. 5:00 PM: Disable email (can't send new messages) 2. 5:01 PM: Revoke SSO access (logs out of all sessions) 3. 5:05 PM: Remove from distribution lists and channels 4. 5:10 PM: Revoke SaaS access (API tokens, cloud accounts) 5. 5:15 PM: Disable MFA enrollment (prevents re-enrollment) → Grace period: 24 hours (in case of timing error) → Forwarding: Set up email forwarding to manager for 30 days Immediate revocation (involuntary/security concern): → IT revokes SSO immediately (within 15 minutes of instruction) → Physical escort to collect belongings → All systems locked before employee leaves building → Legal/HR notification of revocation timestamp Data preservation: → Employee's files archived (not deleted) for 7 years → Calendar events cancelled or reassigned → Open projects transferred to designated owner → Slack messages preserved in channel history ``` ## Security Policies ``` ACCESS SECURITY FRAMEWORK ========================== Password policy: → Managed by SSO (no individual passwords for most tools) → SSO password: Min 12 characters, changed annually → MFA required for all accounts (no exceptions) → Session timeout: 30 minutes (internal tools), 8 hours (external) Least privilege principle: → Start with minimum required access → Escalate only with documented business need → Temporary elevated access: Max 72 hours, auto-revoke → Admin access: Just-in-time provisioning, time-limited Access reviews: → Monthly: Automated stale access detection (>90 days inactive) → Quarterly: Manager certification of direct report access → Semi-annually: HR reviews sensitive data access → Annually: Full access audit across all systems Termination scenarios: → Voluntary: Scheduled revocation on last day → Involuntary: Immediate revocation → Layoff: Batch revocation with COBRA notification timing → Contractor end: Immediate revocation on contract end date ``` ## Integration Points - Identity provider (Okta, Azure AD, Auth0): SSO and MFA - HRIS: Employee records, start/end dates, role data - IT ticketing: Access request and issue tracking - Slack/Teams: Channel provisioning - Cloud platforms (AWS, GCP, Azure): Role-based access - SaaS tools: License management and provisioning APIs - MDM (MobileIron, Jamf): Device management ## Edge Cases - **Joint access** (shared accounts): Not permitted — each person gets individual account - **Interim access** (backfill, acting role): Temporary access with defined end date - **Cross-department projects**: Temporary access group, auto-remove when project ends - **Third-party contractors**: Limited access via separate contractor SSO group, daily access review - **Executive offboarding**: Staggered revocation — board portal access maintained post-departure for transition period - **Emergency access** (break-glass): Documented process, dual-approval, full audit logging, time-limited