Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How do tech companies gives permissions of repos to the new employee
10 points by daemon_9009 on July 10, 2023 | hide | past | favorite | 15 comments
Hi, I recently joined a tech company as SDE, one flaw I found was the way in which they give permissions to their github repos, jira, NuGET and angular packages to the new joiners. The current method they follow is to send mail to IT support with your manager or senior in CC, then manager/senior will send "OK" to the request via the mail, then IT support gives the permission to the respected person manually. How about a solution where we bypass the chain of mails and manual approval of IT support? This solution exists in some companies(they made it by themselves), they made a dedicated platform where everything is one click, the request is approved using github/jira API's. But not all companies can afford to create such a homemade solution, So can it become a Product as a service company? do you feel need for such a thing?


At a company I worked for in the last we had one of those homegrown systems to manage identity lifecycle

We couldn’t get rid of the managerial approval as that was needed for auditing and compliance, but the platform made it mostly self-service and automated

In the case of joiners, there were a specific set of permissions that were assigned based in the role they were joining at, and managers always had the chance to add/remove access before day-1

After that, the employee could use the self service platform to request access to other things they may need


Asking for permission this way is ok. But how was it approved? Manually or some API automation?


It has to be approved by a person (the manager/owner) because if you automate that part then it may not be in compliance with certain regulation

If you were to automate the approval then why even ask for approval?

Edit: just to add, you can make the UX for approval as easy as possible (slack integration, bulk approvals, etc) in cases in which is necessary by regulation.

You can also leverage certain attributes of the identity and risk profile to provide automatic approval on certain workflows to streamline the experience


automate the approval means here is that the person who will finally give you the approval, doesn't have to do this manually, he can just automate this permission giving process using github or jira API.


I think I understand this, and I hope this doesn’t sound like me repeating myself.

My point was that there are cases in which you cannot fully automate this (compliance, audits, regulation, etc)

So the solution will be to use Jira’s/GH’s API and build an integration that makes it easy for a manager/owner to approve request, without having to log into Jira/GH


If having your boss approve things via email is a huge problem, you are setting yourself up for a lifelong career of disappointment.


We follow a model similar to concourse/governance. Yaml based files decide team and repo memberships. The PRs have to be approved by a group of people and it's dictated with CODEOWNERS file.


Active Directory + LDAP integrations. Your manager is able to admin the groups who have rights to source repos, package repos, deployment keys, etc.


Rippling does this by having roles assigned to groups, and groups receive sets of permissions and access to different apps. Builds all this into one click.


was this made by themselves or outsourced?


I mean it's certain that there's a lot of steps that happens in the onboarding process of a new employee. But do you think that there's a need for this problem to even be solved? Like I doubt people really care, this is a problem people VERY rarely come across. I don't think making a product would be worth the effort to solve this.


If SSO is properly set up and combined with a SSO compatible SCM solution like GitHub Enterprise or GitLab Enterprise this becomes rather easy.

Add user account to proper groups from the get go (Because as IT you know what permissions the new employee should have, right? Right?!?) and you are pretty much done.


At one startup I worked for, all our GitHub repos were managed via Terraform. Adding or revoking permissions was easy: just ask DevOps and they'll add your username to the list of developers in the org or grant permissions on a per-repo basis.


I would be surprised if ServiceNow didn’t have a solution for this. Probably quite expensive though.


Just use terraform github provider.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: