Purpose
To define a standardized policy for how developers are granted access to tools, environments, and credentials, and to outline their responsibility in using them securely and responsibly.
This prevents unauthorized access, data leaks, and misuse of critical development resources.
Scope
- Applies to all developers, contractors, and interns who require access to organizational tools.
- Covers:
- Source Code Repositories (GitHub/GitLab/Bitbucket).
- Project Management Tools (Jira, ClickUp, Linear).
- CI/CD Pipelines (GitHub Actions, CircleCI, Jenkins).
- Cloud Services & Environments (AWS/GCP/Azure, staging servers).
- Collaboration Tools (Slack, Teams, Confluence, Notion).
- Secrets & Tokens (API keys, database credentials).
Principles
- Least Privilege Access – Developers only receive the minimum access required for their role.
- Accountability – Every access action is logged, auditable, and traceable.
- Separation of Duties – Sensitive access (e.g., production) is restricted to leads/DevOps, not all developers.
- Time-Bound Access – Temporary roles (contractors, interns) receive time-limited credentials.
- Revocation on Exit – Access is revoked immediately when a developer leaves or changes role.
Rules & Responsibilities
Developer Responsibilities
- Use 2FA on all accounts (mandatory).
- Never share credentials (passwords, tokens, keys).
- Store sensitive credentials in approved vaults (e.g., 1Password, HashiCorp Vault, AWS Secrets Manager).
- Always log out of shared machines/sessions.
- Report any suspicious activity immediately to leads/IT.
- Keep local dev machines updated with latest OS & security patches.
- Respect code of conduct in collaboration tools (Slack/Teams).
Access Rules
| Tool Category | Default Role | Elevated Role | Notes |
| Source Control (GitHub/GitLab) | Read + Write (project repos only) | Admin (Leads only) | No force-push to protected branches |
| Project Management (Jira/ClickUp) | Developer (ticket access) | Manager (create/edit workflows) | Must log work & updates |
| CI/CD (CircleCI, GitHub Actions) | Read logs | Trigger Deploy (Leads only) | Devs cannot modify pipelines without approval |
| Cloud Services (AWS/GCP/Azure) | Staging access only | Production (DevOps/Leads only) | All actions logged |
| Collaboration Tools (Slack/Confluence) | Member | Admin (HR/IT only) | No external sharing |
| Secrets/Tokens | Read (scoped) | Write (DevOps only) | Never hardcode tokens in code |
Governance
- Access Request Workflow: Must go through EPIC 1 – Doc 7 (Access Request SOP).
- Access Reviews: Quarterly audits to ensure least privilege.
- Revocation: Access revoked within 24 hours of role exit/change.
- Violations: Any breach of this policy → disciplinary review + potential revocation of access.
- Escalation: Security incidents are escalated to CTO + Security Lead immediately.
Outcome
- Developers receive just enough access to do their jobs effectively.
- Responsibility for tool usage is clear and enforceable.
- Protects the organization from data loss, misuse, and compliance risks.
- Supports smooth onboarding/offboarding (ties into Onboarding SOP – Doc 1).