Account Provisioning
This document defines the process for creating, managing, and revoking accounts across all EGI services. Account provisioning is owned by the operations lead, with input from managers on role assignments and project access.
Provisioning Workflow
New Account Request
-
Manager submits request: When a new hire is confirmed or an existing team member needs access to a new service, the manager posts in the
#operationsSlack channel with:- Full name of the team member
- Role (Developer, Designer, PM, Operations)
- Services needed (or "standard for role" to use the default matrix)
- Specific project repositories or teams (if applicable)
- Start date
-
Operations lead processes request: The operations lead creates accounts according to the access matrix and naming conventions defined below.
-
Credentials delivered securely: Temporary passwords or invitation links are sent via an encrypted channel (Slack DM or password manager share). Never send credentials via email.
-
New hire confirms access: The new hire verifies access to each service and confirms in
#operations. MFA must be enabled within 24 hours. -
Operations lead verifies: The operations lead checks that MFA is enabled and permissions are correct within 48 hours of provisioning.
Account Creation by Service
GitHub Organization Invite
- Navigate to the EGI GitHub organization > Settings > People
- Click "Invite member"
- Enter the new hire's GitHub username or email
- Set role to "Member" (never "Owner" unless explicitly approved)
- Add to the appropriate team(s) based on project assignment
- Set repository permissions through team membership, not individual grants
Team naming convention: project-[name] for project teams, role-[name] for role-based teams (e.g., project-life-central, role-developers).
Slack Workspace
- Open Workspace Administration > Invite People
- Send invitation to the new hire's EGI email address
- Once they join, add them to default channels:
#general,#engineering,#operations - Add to project-specific channels as directed by the manager
- Set their display name to match the naming convention (First Last)
Vercel Team
- Open Vercel Team Settings > Members
- Click "Invite Member"
- Enter the new hire's EGI email
- Set role based on their position:
- Developer: Developer role (can deploy and configure)
- PM / Designer: Viewer role (can view deployments and logs)
- Operations: Admin role
- Confirm they can access the relevant project dashboards
PostHog
- Open PostHog Organization Settings > Members
- Invite by EGI email
- Set role: Member for developers, Viewer for PMs
- Confirm access to the correct project(s)
ERPNext
- Log in as administrator
- Navigate to Users > Add User
- Create with
firstname.lastname@egintegrations.com - Assign role modules based on job function (PM: Projects, HR; Operations: all modules)
- Enable MFA requirement
SuiteDash
- Log in as admin
- Navigate to Staff > Add Staff Member
- Create account with EGI email
- Set permissions based on role
- Send invitation link
Naming Conventions
Consistent naming across all services is required for auditability and ease of management.
| Service | Username Format | Display Name Format |
|---|---|---|
firstname.lastname@egintegrations.com | First Last | |
| GitHub | Personal username (linked to org) | First Last |
| Slack | firstname.lastname | First Last |
| Vercel | EGI email | First Last |
| PostHog | EGI email | First Last |
| ERPNext | firstname.lastname@egintegrations.com | First Last |
| SuiteDash | EGI email | First Last |
Conflict Resolution
If two team members share the same first and last name:
- Add a middle initial:
firstname.m.lastname - If still conflicting, use a numeric suffix:
firstname.lastname2 - Document the exception in the access matrix
Access Matrix by Role
This matrix defines the default access for each role. Project-specific access is layered on top.
| Service | Developer | Designer | PM | Operations |
|---|---|---|---|---|
| Standard | Standard | Standard | Admin | |
| GitHub | Write (assigned repos) | Read (design repos) | Read (assigned repos) | Admin |
| Slack | Member | Member | Member | Admin |
| Vercel | Developer | Viewer | Viewer | Admin |
| PostHog | Member | -- | Viewer | Admin |
| ERPNext | -- | -- | Projects module | Admin |
| Cloudflare | -- | -- | -- | Admin |
| SuiteDash | Member | Member | Full | Admin |
A dash (--) indicates no access is granted by default. Access can be requested through the standard approval workflow.
Approval Workflow
Standard Access (Within Role Matrix)
No additional approval needed. The operations lead provisions based on the manager's request and the access matrix above.
Non-Standard Access
When a team member needs access outside their role's default matrix:
- Manager posts a request in
#operationswith justification - Operations lead reviews the request against security principles (least privilege)
- If approved, access is granted and documented as an exception in the access matrix
- Non-standard access is flagged for review during quarterly access audits
Temporary Elevated Access
For debugging, incident response, or one-time tasks requiring higher privileges:
- Request in
#operationswith scope and time limit - Operations lead grants access with a documented expiration
- Access is revoked at the stated time (or immediately after the task, whichever comes first)
- The escalation is logged for audit purposes
Deprovisioning
Account deprovisioning follows the Offboarding Procedures. The key principle: revoke all access on the employee's final day, rotate any shared credentials within 24 hours, and verify revocation within one week.