HackerTrans
TopNewTrendsCommentsPastAskShowJobs

Ask HN: How do tech companies gives permissions of repos to the new employee

10 points·by daemon_9009·3 yıl önce·15 comments
Hi, I recently joined a tech company as SDE, one flaw I found was the way in which they give permissions to their github repos, jira, NuGET and angular packages to the new joiners. The current method they follow is to send mail to IT support with your manager or senior in CC, then manager/senior will send "OK" to the request via the mail, then IT support gives the permission to the respected person manually. How about a solution where we bypass the chain of mails and manual approval of IT support? This solution exists in some companies(they made it by themselves), they made a dedicated platform where everything is one click, the request is approved using github/jira API's. But not all companies can afford to create such a homemade solution, So can it become a Product as a service company? do you feel need for such a thing?

16 comments

alejo·3 yıl önce
At a company I worked for in the last we had one of those homegrown systems to manage identity lifecycle

We couldn’t get rid of the managerial approval as that was needed for auditing and compliance, but the platform made it mostly self-service and automated

In the case of joiners, there were a specific set of permissions that were assigned based in the role they were joining at, and managers always had the chance to add/remove access before day-1

After that, the employee could use the self service platform to request access to other things they may need
daemon_9009·3 yıl önce
Asking for permission this way is ok. But how was it approved? Manually or some API automation?
alejo·3 yıl önce
It has to be approved by a person (the manager/owner) because if you automate that part then it may not be in compliance with certain regulation

If you were to automate the approval then why even ask for approval?

Edit: just to add, you can make the UX for approval as easy as possible (slack integration, bulk approvals, etc) in cases in which is necessary by regulation.

You can also leverage certain attributes of the identity and risk profile to provide automatic approval on certain workflows to streamline the experience
daemon_9009·3 yıl önce
automate the approval means here is that the person who will finally give you the approval, doesn't have to do this manually, he can just automate this permission giving process using github or jira API.
alejo·3 yıl önce
I think I understand this, and I hope this doesn’t sound like me repeating myself.

My point was that there are cases in which you cannot fully automate this (compliance, audits, regulation, etc)

So the solution will be to use Jira’s/GH’s API and build an integration that makes it easy for a manager/owner to approve request, without having to log into Jira/GH
housemusicfan·3 yıl önce
If having your boss approve things via email is a huge problem, you are setting yourself up for a lifelong career of disappointment.
deltasquare4·3 yıl önce
We follow a model similar to concourse/governance. Yaml based files decide team and repo memberships. The PRs have to be approved by a group of people and it's dictated with CODEOWNERS file.
skinner927·3 yıl önce
Active Directory + LDAP integrations. Your manager is able to admin the groups who have rights to source repos, package repos, deployment keys, etc.
rogerkirkness·3 yıl önce
Rippling does this by having roles assigned to groups, and groups receive sets of permissions and access to different apps. Builds all this into one click.
daemon_9009·3 yıl önce
was this made by themselves or outsourced?
satuke·3 yıl önce
I mean it's certain that there's a lot of steps that happens in the onboarding process of a new employee. But do you think that there's a need for this problem to even be solved? Like I doubt people really care, this is a problem people VERY rarely come across. I don't think making a product would be worth the effort to solve this.
mindcrash·3 yıl önce
If SSO is properly set up and combined with a SSO compatible SCM solution like GitHub Enterprise or GitLab Enterprise this becomes rather easy.

Add user account to proper groups from the get go (Because as IT you know what permissions the new employee should have, right? Right?!?) and you are pretty much done.
[deleted]·3 yıl önce
dgunay·3 yıl önce
At one startup I worked for, all our GitHub repos were managed via Terraform. Adding or revoking permissions was easy: just ask DevOps and they'll add your username to the list of developers in the org or grant permissions on a per-repo basis.
cpach·3 yıl önce
I would be surprised if ServiceNow didn’t have a solution for this. Probably quite expensive though.
jamjamjamjamjam·3 yıl önce
Just use terraform github provider.