Access Control¶
Classification: CONFIDENTIAL — Internal Use Only
The GPUS-IT Access Control program governs who can access which systems, under what conditions, and with what level of privilege. It implements the principles of least privilege, need-to-know, and separation of duties across all on-premises and cloud infrastructure.
Scope¶
All logical access to GPUS-IT systems is in scope:
- SSH administrative access to SKY, RAIN, SUN, WIND
- Management interfaces: Webmin, Grafana, Kibana, Prometheus
- GCP Console and
gcloudCLI access - Cloud Run service endpoints
- Backup archives and GCS buckets
- Network devices (Meraki MX100)
Governing Principles¶
| Principle | Implementation |
|---|---|
| Least privilege | Each role receives only the permissions required for its function |
| Separation of duties | DNS/DHCP and monitoring/logging roles are distinct accounts on separate servers |
| Named accounts | No shared accounts; every action is attributable to a named individual |
| Zero standing privilege | Privileged access is via sudo with logging; no persistent root sessions |
| MFA (planned) | Okta SSO with MFA will replace local accounts — see Okta Integration |
Sections¶
| Document | Purpose |
|---|---|
| Access Control Policy | Mandatory requirements and governance |
| Role & Permission Matrix | Who has access to what and at what level |
| Account Provisioning Procedure | How to create, modify, and revoke access |
| Privileged Access Management | Controls for admin and root-level access |
| Access Review | Quarterly review process and log |
Access Control · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only