Current process of giving Temporary (Breakglass) production access

This process is as of 30th May 2023.

Summary-

At present the 'breakglass' process to give temporary access to Production environment is manual.

We are working on a breakglass access policy, solution & proposed tools such as CyberArk / Azure Privileged Identity Manager to automate this process.

The process we have is while managing a priority one (P1) incident if someone needs a temporary access to production environment to investigate or fix the issue then most of the times, we ask support team members who already have relevant production access. In case we need to give someone a temporary access then it gets recorded in the incident timeline under the fact that necessary fix or investigation was completed by a certain person. A DevOps story refrence URL (as appropriate and if needed) is mentioned on the incident ticket to audit trail the fix release. Incident timeline is also reflected the release of the fix into production environment. Such a emergency temporary "breakglass" access request must come from Production Operations team representive (Ideally an Incident Manager who is managing the P1 incident in question). No additional approvals are needed.

Example -

Incident - https://supporthub.soteria365.com/helpdesk/tickets/8598

Screenshot of the Incident properties - Look for Prevention steps field mentioning URL of the DevOps user story.

Screenshot of Incident Timeline showing that the fix referred by the DevOps story has been released by Nicholas D. who already had access to production.

What if someone wants an access to Production for certain period to perform their duties?

One example of such access request is External vendor consultant or an Auditor needs production access for a week or two to Audit production environment / investigate production issue.

There are Access requests functions available in Fresh Service.

From https://supporthub.soteria365.com/support/home Select "Request a Service"
Select "Access Requests" from the left hand side pane. You will see various access request function tiles at the right hand side as shown in below screenshot.

If the Access request you are looking for is not there then you need to raise a Miscellaneous Service Request.

Access request functions are still being developed in Fresh Service and eventually we will have them done for all Applications and types of access.

It is the responsibility of the person who originally requested such access, to ensure that once such short period access request is given and when its no longer required then Access Removal ticket should be raised Fresh Service. Such anomalies should get highlighted anyway when we will have all departments doing their quarterly recertification exercise.