Purpose

The purpose of this policy is to limit access to information and information processing systems to authorized parties in order to protect our customers, employees, contractors, and other partners from harm caused by both deliberate and inadvertent misuse.

Furthermore, this policy outlines Sourcegraph’s approach to credential management used for authentication on company assets as application of poor credentials in service and system can lead to disclosure of sensitive information and data breaches. Our intention in publishing this policy is to outline information security practices intended to protect Sourcegraph’s assets, not to impose restrictions.

Scope

This policy applies to all Sourcegraph full-time teammates, interns, temporary contractors, and to all external parties with access to Sourcegraph systems.

Policy

Access to information and information processing systems is limited to employees with a business requirement for such access. Access rights should be granted or revoked in accordance with this Access Control Policy.

Business Requirements of Access Control

Access Control Policy

The level of access granted to individual Sourcegraph users should be based on the “principle of least privilege”. This principle states that users are only granted the level of access absolutely required to perform their job functions, and is dictated by Sourcegraph’s business and security requirements. Permissions and access rights not expressly granted should, by default, be prohibited.

Sourcegraph’s primary method of assigning and maintaining consistent access controls and access rights is through the implementation of Role-Based Access Control (RBAC). Wherever feasible, rights and restrictions should be allocated to groups. Individual user accounts may be granted additional permissions with a request stating “business need” and approval by the asset/system owner.

<aside> 💡 Related: How to submit an application access request

</aside>

User Access Management

Sourcegraph requires that all personnel have a unique user identifier for system access, and that user credentials and passwords are not shared between multiple personnel. Users with multiple levels of access (e.g. administrators) should be given separate accounts for normal system use and for administrative functions wherever feasible. Root, service, and administrator accounts may use a password management system to share passwords for business continuity purposes only. Administrators should only use shared administrative accounts as needed.

User Registration and Deregistration

Only authorized administrators are permitted to create new user accounts. User provisioning requests must be submitted to the Tech-Ops team and include approval from the asset/system owner of the system additional access is requested for. User IDs are promptly disabled or removed when users leave the organization or contract work ends. User IDs should not be re-used.

User Access Provisioning