At LEANSTACK, we implement a least-privilege policy where every user (employee, application) must be able to access only the information and resources that are necessary to get their job done. We use separate accounts for application access to databases and automated code deployments.
Typical employee jobs are divided into the following functional groups:
Oversees, approves, and enforces access across all the groups. Has admin access to all systems and 3rd party tools.
A developer only needs read/write access to Github where LEANSTACK source code is maintained. A developer does not have access to staging and production instances. Code deployment is triggered by a deployment hook to staging upon code checking once tests pass CI. Code is pushed to production by the DevOps team member.
A devops member has read/write access to Github and read/write access to Heroku where LEANSTACK instances and 3rd party apps for monitoring, logs, analytics are hosted.
Read/write access to analytics tools like Google Analytics and Visual Website Optimizer.
Read/write access to Stripe payment gateway system.
You may be granted access to more than one functional group depending on your responsibilities, but access must be requested and approved by an Admin. To request access, DM an admin in Slack.