Granting read access to production environments
This run book documents the process of granting read access to production environments and the restrictions that exist on doing so.
Pre-requisites
The person requesting access must be security cleared.
A PlatOps-Help ticket must be raised for a person to get access. Do not grant someone access just because they message you via DM.
The person requesting the access must give a reason for why they need it.
Checking for security clearance
You can check the ID Governance section of the Azure Portal by searching for the persons name. If they are listed and the status is Delivered, then the person has been cleared.
When a pull request is submitted to azure-devops-ad, the pipeline will check whether the person has security clearance and post a comment on the pull request to let you know whether it should be approved or not.
If the person is not security cleared, a Do Not Merge label will be added as well.
Granting access
Once you’ve confirmed that the person has security clearance, you can submit a PR or approve an existing PR to add them to the relevant groups.
Do not add someone who is not security cleared to these groups
There are groups for granting read access to production:
- DTS CFT Production Readers
- DTS SDS Production Readers
Submit a pull request in devops-azure-ad and add the group under the persons name in users/prod_users.yml