Account Access
This document defines which accounts are provisioned for each role at EGI, the steps to provision them, naming conventions, and multi-factor authentication requirements.
Accounts by Role
The following matrix shows which services each role requires access to. The operations lead provisions all accounts before or on the new hire's first day.
| Service | Developer | Designer | Project Manager | Operations Lead |
|---|---|---|---|---|
| Email (egintegrations.com) | Yes | Yes | Yes | Yes |
| GitHub (EGI org) | Yes | As needed | Read-only | Yes |
| Slack (EGI workspace) | Yes | Yes | Yes | Yes |
| Vercel | Yes | Viewer | Viewer | Yes |
| PostHog | Yes | No | Yes | Yes |
| ERPNext | No | No | Yes | Yes |
| Cloudflare | No | No | No | Yes |
| SuiteDash | Yes | Yes | Yes | Yes |
Role-Specific Notes
- Developers receive write access to repositories relevant to their assigned projects. Access to additional repositories is granted upon request and manager approval.
- Designers receive GitHub access only when they need to work directly with code assets (e.g., design tokens, SVG assets in a repository).
- Project Managers receive read-only GitHub access to monitor progress; they do not merge or approve PRs.
- Operations Leads have admin-level access across all services and are responsible for provisioning and deprovisioning.
Provisioning Steps
Email
- Log in to the email admin panel
- Create the account using the
firstname.lastname@egintegrations.comformat - Set a temporary password and send it securely to the new hire (use an encrypted channel, not plaintext email)
- Require password change on first login
- Enable MFA immediately after first login
GitHub
- Navigate to the EGI GitHub organization settings
- Invite the new hire by their GitHub username or email
- Assign them to the appropriate team(s) based on their project assignment
- Set repository permissions:
writefor developers on assigned repos,readfor PMs - Confirm the new hire has accepted the invitation
Slack
- Open the EGI Slack workspace admin panel
- Send an invitation to the new hire's EGI email address
- Once they join, add them to the following default channels:
#general,#engineering,#operations - Add them to project-specific channels as directed by their manager
Vercel
- Open the EGI Vercel team settings
- Invite the new hire by email
- Set their role:
Developerfor engineers,Viewerfor PMs and designers - Confirm they can access the relevant project dashboards
PostHog
- Open PostHog organization settings
- Invite by email with the appropriate role (
Memberfor developers,Viewerfor PMs) - Confirm access to the relevant project dashboards
ERPNext
- Log in to the ERPNext instance as admin
- Create a new user with the
firstname.lastname@egintegrations.comemail - Assign the appropriate role(s) based on their job function
- Send login credentials securely
SuiteDash
- Log in to SuiteDash as admin
- Create a new staff account with appropriate permissions
- Send the invitation link to the new hire's EGI email
Naming Conventions
All accounts across all services must follow a consistent naming convention:
| Field | Format | Example |
|---|---|---|
firstname.lastname@egintegrations.com | jane.smith@egintegrations.com | |
| GitHub display name | Full legal name | Jane Smith |
| Slack display name | First name Last name | Jane Smith |
| Slack username | firstname.lastname | jane.smith |
| Vercel | Use EGI email for invitation | -- |
If a naming conflict exists (e.g., two people with the same name), append a middle initial: firstname.m.lastname.
MFA Requirements
Multi-factor authentication is mandatory for all EGI services that support it. This is non-negotiable.
| Service | MFA Required | Supported Methods |
|---|---|---|
| Yes | TOTP app (preferred), SMS (fallback) | |
| GitHub | Yes | TOTP app, security key, GitHub Mobile |
| Slack | Yes | TOTP app |
| Vercel | Yes | TOTP app |
| Cloudflare | Yes | TOTP app, security key |
| ERPNext | Yes | TOTP app |
MFA Setup Rules
- MFA must be enabled within 24 hours of account creation
- TOTP-based authenticator apps (e.g., Authy, 1Password, Google Authenticator) are the preferred method
- SMS-based MFA is accepted only as a fallback when TOTP is not available
- Recovery codes must be stored securely (password manager, not plaintext)
- The operations lead will verify MFA enrollment during the Week 1 access audit
Quarterly Access Reviews
Every quarter, the operations lead conducts a review of all active accounts to ensure:
- No former employees retain access to any service
- Permissions match current role assignments (no privilege creep)
- MFA is still enabled on all accounts
- Unused or dormant accounts are flagged for deactivation