Access Check (accesschk)

Access Check (accesschk) is a separate pipeline from Access Control (accessctl) that focuses on evidence collection of the current state of users and configuration for each compliance in-scope system. This pipeline automates the extract-transform-load (ETL) process for (e)xtracting/fetching data from the API, formatting/(t)ransforming it into a CSV and JSON datestamped file, and loading it into a GitLab repository for analysis and reference by audit and compliance users.

Not Live Yet

You are viewing a preview of documentation for the future state of GitLab Identity v3 (mid 2024). See the Access Management Policy for the GitLab Identity v2 current state with baseline entitlements and access requests. See the roadmap in the epics gantt chart.

Not the documentation you are looking for?

You are viewing the accesschk engineering deep-dive architecture for audit and compliance evidence collection. We have accessctl engineering architecture documentation for policy management and automated provisioning. We also have a getting started guide for auditors, change management, and tech stack application system owners.

Work in Progress

This page is a work-in-progress. Please check back later for up-to-date details.

CI/CD Pipeline Overview

graph LR subgraph accesschk GitLab Repositories direction LR subgraph accesschk-evidence Repo direction LR end end subgraph accesschk GitLab CI/CD Pipeline Jobs direction LR subgraph Okta API CI_AUDIT_OKTA_USER_JOB["Okta Users Job<br />chk:okta-users"] CI_AUDIT_OKTA_APP_JOB["Okta Apps Job<br />chk:okta-apps"] CI_AUDIT_OKTA_GROUP_JOB["Okta Groups Job<br />chk:okta-groups"] CI_AUDIT_OKTA_POLICY_JOB["Okta Policies Job<br />chk:okta-policies"] CI_AUDIT_OKTA_ADMIN_ROLES_JOB["Okta Admin Roles Job<br />chk:okta-admin-roles"] CI_AUDIT_OKTA_SETTING_JOB["Okta Settings Job<br />chk:okta-settings"] end subgraph Google Workspace Directory API CI_AUDIT_GOOGLE_USER_JOB["Google Users Job<br />chk:google-users"] CI_AUDIT_GOOGLE_ADMIN_ROLES_JOB["Google Admin Roles Job<br />chk:google-admin-roles"] CI_AUDIT_GOOGLE_GROUP_JOB["Google Groups Job<br />chk:google-groups"] CI_AUDIT_GOOGLE_CHROME_JOB["Google Chrome Policies Job<br />chk:google-chrome"] CI_AUDIT_GOOGLE_ORG_UNIT_JOB["Google Org Units Job<br />chk:google-org-units"] end subgraph Google Cloud Resource Manager and IAM API CI_AUDIT_GCP_ORGS_JOB["Google Cloud Organizations Job<br />chk:gcp-organizations"] CI_AUDIT_GCP_FOLDERS_JOB["Google Cloud Folders Job<br />chk:gcp-folders"] CI_AUDIT_GCP_PROJECTS_JOB["Google Cloud Projects Job<br />chk:gcp-projects"] CI_AUDIT_GCP_SERVICE_ACCOUNTS_JOB["Google Cloud Service Accounts Job<br />chk:gcp-service-accounts"] CI_AUDIT_GCP_BILLING_ACCOUNTS_JOB["Google Cloud Billing Accounts Job<br />chk:gcp-billing-accounts"] end subgraph GitLab.com SaaS API CI_AUDIT_GITLAB_SAAS_GROUP_JOB["GitLab SaaS Groups Job<br />chk:gitlab-saas-groups"] CI_AUDIT_GITLAB_SAAS_PROJECTS_JOB["GitLab SaaS Projects Job<br />chk:gitlab-saas-projects"] CI_AUDIT_GITLAB_SAAS_ADMIN_JOB["GitLab SaaS Admin Roles Job<br />chk:gitlab-saas-admins"] end subgraph GitLab Self-Managed Instance API CI_AUDIT_GITLAB_SELF_GROUP_JOB["GitLab Self-Managed Groups Job<br />chk:gitlab-self-groups"] CI_AUDIT_GITLAB_SELF_PROJECTS_JOB["GitLab Self-Managed Projects Job<br />chk:gitlab-self-projects"] CI_AUDIT_GITLAB_SELF_ADMIN_JOB["GitLab Self-Managed Admin Roles Job<br />chk:gitlab-self-admins"] end end

Last modified November 14, 2024: Fix broken external links (ac0e3d5e)

View page source - Edit this page - please contribute.