Automated Permission Provisioning

This article describes the workflows supported to gain permissions to GitHub


Permissions mitigation requires behavioral context, but in some cases, developers may need access to source code immediately without any friction, and new employees need to have a smooth onboarding process.

Therefore, Arnica provides two mechanisms to provision permissions:

  1. Self-Service access request and provisioning via Slack

  2. Automated access provisioning based on a Team membership event

Self-Service Access Request and Provisioning via Slack

Users can request a permission via Slack and it can be granted automatically based on the Self-Service Policy defined in Arnica.

To enable self-service access management, integrate Arnica with Slack and define the Self-Service Policy under the Admin section.

Upon integration of Arnica's bot and initial configuration of Arnica's Self-Service Policy, any Slack user in the organization can chat with the bot by writing "/arnica", which will open up a dialog to request a Write/Maintain/Admin permission to any asset that is defined in the Self-Service Policy. For example, if the scope in the Self-Service policy is "All Organizations", the Slack users will see all organizations and repositories. However, if the scope is for individually selected organizations or repositories, only the selected organization and repositories will be visible to the Slack user.

The automated permission provisioning is based on the action defined in the Self-Service policy. For example, policy can be configured to automatically grant Write access to anyone who had their permissions mitigated by Arnica in the last X days, while a new user will need to get an approval via Slack to get the permission provisioned automatically by Arnica.

Automated access provisioning based on a Team membership event

Arnica mitigates individual permissions between each identity and an asset (e.g. repository, branch) without modifying identity memberships in Teams. In the event that not all members of a Team require the team's level of permission, Arnica may reduce the permission of a Team to the minimum necessary level. However, individual members will be granted a direct permission according to their behavior.

For example, if multiple users are a part of a Team that has Admin access to a repository, and Arnica identifies that one of the members is excessive, Arnica will grant direct Admin permission to active users in the repository and reduce the Team's permission to Write.

More information about mitigation options can be found here.

Due to the complexity of maintaining these permissions while enabling high development velocity, Arnica utilizes the existing processes its customers use when granting permissions via Team memberships.

Arnica listens to the events where members are added to Teams and adjusts the permissions automatically based on the permissions each Team had to each asset prior the mitigation. For example, in the previous case, where a Team has its permissions reduced to Write after a mitigation from Admin, if a new user were added to this Team, Arnica will grant the user a direct Admin permission automatically.

How Automated Permission Provisioning Works?

Below are the workflows that describe the 2 use cases above in more detail:

Frequently Asked Questions

Can I continue managing permissions via GitHub Team membership?

Yes. Arnica will get the event of member addition to a Team and provision all permissions as they were prior to the mitigation.

Do I need to change anything if all permissions are managed centrally via 3rd party authorization provider (e.g. Okta)?

No, Arnica will automatically provision the necessary permissions.

Are permission grants logged for audit purposes?

Yes. All permission changes are logged both in Arnica and in the default Slack channel "arnica-notifications".

How does Arnica grant permissions via CODEOWNERS file?

If Arnica mitigated a permission by creating a CODEOWNERS file, a Pull Request will be created with the added member to the relevant paths, where the Team existed prior to mitigating the permissions.

Will a Pull Request be raised for every automated provisioning within a CODEOWNERS file?

Yes. If there are multiple user requests, Arnica will create a Pull Request for each permission grant separately so that each permission can be reviewed individually.

Last updated