You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Grant can represent access for non-individual users like service accounts and groups for GCP providers. Ideally, those grants should be owned by a group of people for visibility and access maintainability so that when the main owner is no longer available, anyone else still can maintain the access. This multiple ownership mostly will be used for channel of notifications purpose when the access is going to expire
Can have a concept of main owner and additional ones
This approach is simpler in implementation since it is a new column/field addition to the Grant entity
Cons:
When it comes to expiring access notifications, need to make sure that the notification is sent for both owner and co-owners. Same for other similar use cases (if any)
2. (Option 2) Replace owner: string (singular) field with owners: []string (multiple)
Pros:
Simpler domain knowledge as there is no confusion between the "main" owner and other owners.
Cons:
Need to migrate existing owner to the new owners field (breaking changes)
Additional
Assigning grant ownership to a "team" like [email protected] or any other kind of team/group can't be that straightforward since there is no team/group management in Guardian (and let's keep it so). To enable this, guardian needs to connect with third-party team management service like shield or google workspace for getting the information of team/group membership
The text was updated successfully, but these errors were encountered:
Summary
Grant can represent access for non-individual users like service accounts and groups for GCP providers. Ideally, those grants should be owned by a group of people for visibility and access maintainability so that when the main owner is no longer available, anyone else still can maintain the access.
This multiple ownership mostly will be used for channel of notifications purpose when the access is going to expire
Proposed solution
1. (Option 1) Add
co_ownersfield in Grantco_ownersis a list of individual emailsPros:
Cons:
2. (Option 2) Replace
owner: string(singular) field withowners: []string(multiple)Pros:
Cons:
ownersfield (breaking changes)Additional
Assigning grant ownership to a "team" like
[email protected]or any other kind of team/group can't be that straightforward since there is no team/group management in Guardian (and let's keep it so). To enable this, guardian needs to connect with third-party team management service like shield or google workspace for getting the information of team/group membershipThe text was updated successfully, but these errors were encountered: