Access & accounts¶
Least privilege
Request only the scope you need. Access is granted via Entra ID groups, not individual grants. All access is auditable.
Request matrix¶
| Access | Group / mechanism | Approver |
|---|---|---|
| Read the wiki | wiki-readers |
auto (all engineering) |
| Author docs / open PRs | wiki-authors |
team lead |
| Ansible repos | ADO project membership | platform-devops |
| Run playbooks (sandbox) | automation-sandbox |
automation-guild |
| Run playbooks (prod) | automation-operators |
head-of-operations |
| Key Vault (sandbox) | RBAC: Key Vault Secrets User | platform-devops |
| China (21Vianet) scope | separate cloud identity | regional lead |
Secrets — the rules¶
- Never put secrets in repos, wiki, or Teams.
- Use Key Vault + Managed Identity / workload identity.
- If you find a leaked secret, rotate it and tell
secopsimmediately.