DoIT Shared Tools - GitLab User Attestation Process (Access Review) for Group Owners
Account or access reviews ensure access to information, data, and resources is limited to authorized users. The Shared Tools team deactivates inactive users, however, group owners perform access reviews (add and remove users from groups).
What does the Shared Tools team do?
If users do not log into GitLab every 6 months, the Shared Tools team will deactivate/disable their account. If a deactivated user logs in, their account will automatically be reactivated.
GitLab Group Owners are Responsible for User Attestation
Group owners should review all users with access to their groups and projects:
- Quarterly
- After staffing changes
- When vendor contracts end
During an access review:
- Remove inactive members from your groups and projects
- Ensure permissions and roles align with a users work activities
- Manage your groups, if needed transfer group ownership and delete/archive inactive projects
If you need more guidance, contact the Shared Tools team.
Other Recommendations
- Develop a procedure that identifies users that will need access to the system and when a user should be removed.
- Guest users or users with a GitLab password, ensure password parameters meet campus policy UW-514.
- Assign a different password for user and administrative accounts.
- Ensure passwords are not the same as the NetID password.
- Change passwords immediately if a compromise is suspected.
Attestation Roles & Process
Type of User | Description of Role | Permissions Overview | Responsible for |
---|---|---|---|
GitLab User | Any eligible user of GitLab. | Can create personal projects. When granted access, GitLab users can create projects and content in group spaces. |
Leaving groups and projects they are no longer a part of. As needed, transferring ownership of projects and groups. |
GitLab Group Owner | An approved GitLab group owner. They are responsible for delegated administration. | Can create sub-groups, projects, and manage users. | Aligning with known best practices, performing user management and access reviews (adding and removing users). |
Shared Tools Service Team | Service fulfillment and limited user support. | Administrators of the platform. | Managing authentication and deactivating inactive users. |