Infrastructure InternalAccess ControlThe Model

Authentication/Authorization Model

Overview

This document is the starting point on understanding our authentication/authorization model. This is a joint effort between the business and engineering team to have a source of truth when it comes to identifying teams, managing costs, and authorizing indivisuals.

Authentication Workflow

Authentication flow starts from CIDM. All indivisuals are part of multiple groups in CIDM and we use these groups to identify them. Moreover, we use Okta as our authentication broker for all applications managed by us (currently we are ace-infra) within the exception of some legacy applications and the applications not managed by us (such as github).

Here is the sequence diagram of authentication/authorization workflow:

Standards

Here are some standards we use when it comes to authorization:

  • Unless explicitly mentioned the smallest permission boundary is team; that is, we do not authorize indivisuals.
  • All team details must be maintained and updated in teams spread sheet. If we cannot find a requester in this sheet the item will be delayed until the fields is populated.
TemplateReadme