Skip to content
Access Control
Release Notes

How We Fit

Does your company use Google Workspace and/or Okta and have 500 to 10,000 employees and/or contractors?

Do you work in IT or Security and deal with provisioning/deprovisioning users, roles, permissions, and access to applications that your employees and contractors need?

If so, you’re in the right place. 🤙

Do you despise those manual checklist boxes 😰 that you (or you team) have to provision when someone joins your company or changes roles?

We’re assuming that access requests are annoying 🤬 for your team, your users, and the managers that approve them?

There is a better way. 🥹

Other vendors want to help you manage your access requests. We want to eliminate the need for access requests entirely. 🤩

Access Control is the missing user access management policy engine to help you improve least privilege onboarding and offboarding process.

Our goal is to reduce or eliminate the access requests that you or your team have to handle, and move towards automatically provisioned and deprovisioned access based on policies that have been pre-approved by your stakeholders and system owners.

Let us show you how to build new policies or fix your existing pre-approved policies for your applications, groups, and tech stack systems so that we can pre-approve the business logic of which personnel are appropriate to have access. This solves for many downstream problems when users have to request access and wait for hours, days, or weeks for someone else to approve and manually provision access. If we know they should have access, we can provide pre-provisioned perpetual access or on-demand just-in-time access within seconds or minutes.

Let’s get your users back to work quickly without waiting for their access to be provisioned or bogging down the team with time sensitive offboarding requests.

If you struggle with group member automation, attribute change detection, and automation problems with your onboarding and offboarding processes for employees and contractors, Access Control might be a fit for your organization.

See the Problem Statement and Industry and Market Competitors if you haven’t already.

How It Works

We use metadata about each user (department, team, job title, manager, region, etc.) with multi-dimensional rules to attach users to groups and handle pre-approved provisioning for group members and resources on various tech stack systems using best practices for role-based access control.

Access Control provides a comprehensive user directory with multi-dimensional attribute to solve for identifying users and the granularity of their job role for role-based access control. With the ability to aggregate attributes from multiple sources (ex. Google, Okta, Slack profiles, etc.), we have an enriched set of metadata to make decisions based off of. Our database IDs allow us to handle state changes of strings without having to rebuild all of the downstream policies.

Access Control focuses on pre-approved policy management and group member assignment so that we already know what users belong to what job-roles and respective groups, and can handle downstream provisioning of applications and resources using job roles (or specific small teams) rather than named users.

With our upstream calculations of group members using policy rules and attributes, we have a manifest list of users that we can then push to downstream applications or groups on different systems. For example, we keep each policy’s users synced in their Okta group, their Google group, their GitLab group, and their Slack group. Each of these systems does not know about each other, and it’s a heavy burden to keep all of the members in sync.

The overarching value proposition is that since we already know a lot about the user, their attributes and use Access Control policy and ruleset management to determine which group/role/team they belong to, we can automatically grant them access without the user having to request it. Access requests should be the exception if your policies aren’t configured properly.

Why It Exists

See the Problem Statement and Industry and Market Competitors if you haven’t already.

Access requests are a bandaid that becomes permanent for many organizations, and the exception becomes the rule instead of just fixing the pre-approved onboarding checklist or policy. The problem has grown exponentially harder when trying to use access requests for just-in-time access.

The focus of Access Control is better management of directory users and their attributes that are used to calculate what job roles they belong to, and advanced policy management that allows us to handle workflows that are difficult with string matching group rules and prevent the need for manual group member management.

Policy management is hard, and we are trying to make it easier. Access Control is helping to move organizations from access requests towards powerful policy management to reduce the need for access requests and create a near-invisible access provisioning process with the lowest burden on users and approvers as possible.

Since we already know a lot about the user, we can use their attributes and Access Control policies with powerful attribute rulesets to determine which group/role/team they belong to, we can automatically grant them access based on their job role without the user having to request it. Access requests should be the exception if your policies aren’t configured properly.

Although we have audit and compliance features, we believe that solving the upstream problems makes the audit and compliance features much easier to build and use. For example, would you prefer to perform user access reviews on 2,000 users or 200 job roles that policies are enforced on?

What We Don’t Do

  • It is not a Single-sign on provider, or providing a login screen to different applications. You will continue to use your SSO provider to sign in to those applications.
  • It is not a secrets/password storage platform.
  • Not part of the GitLab product or direction. This is an internal corporate security skunkworks tool that we have open sourced to help other IT and Security teams and give back to the open source community.

How It Helps

Business Value Proposition

  • Provides a programmatic way of managing user group memberships (replaces multiple requests and different issues/tickets).
  • Focus is on Google Groups, Okta Groups, Slack Groups, and onboarding-specific GitLab groups.
  • No more manual group member management for existing baseline rules. Keeps all users in sync as data in Workday/Okta attributes change.
  • Uses database relationships for each group, user, and vendor. Allows policies to be updated via dynmically with automatic change detection and event notifications instead of manually updating strings in flat files.
  • Automated new hire and offboarding since user gets added to groups based on known attributes.

User Experience and Timeliness

  • Provisioning and deprovisioning will take minutes, not days (after approved).
  • Users can use a form-based web UI (with backend database) for streamlined access policy changes and approvals, automated provisioning, and audit management that augments Okta.
  • Approvers have streamlined UI dashboard for current requests, history of approvals, and upcoming access reviews. We also use Slack notifications for approver efficiency.
  • Users with the same job role already benefit from the first person on their team that modified the policy.

Ease of Process Maintenance

  • Reduces manual administrative tasks by automating role-based entitlement and ad-hoc requests.
  • Allows us to use dynamic group (department/role) rules for automating access for non-Okta applications.
  • Replaces access request issues/tickets and and (iteratively) most manual provisioning for users and roles.
  • Uses custom built API integrations with Okta (for managed applications) and the vendor API for non-Okta managed tech stack applications to automatically provision (or deprovision) access to groups and resources.

Auditability

  • Comprehensive logging and auditability of all approval and action flow transactions.
  • Easy to generate audit reports for security compliance to perform reviews of least privilege and access across multiple filter criteria.

Who Is It For

Over the last two decades, a minority yet still large percentage of organizations no longer (or never did) use Microsoft for their directory services or authentication.

If you sign in to your work applications using Google or Okta SSO using your work email address, then Access Control may be a good fit for your organization.

Do you struggle with role-based access control and spend a lot of time manually assigning users to applications and groups, or have a few primitive scripts that you run to assign users to applications? If so, then Access Control may be a good fit for your organization.

We built Access Control for the 400,000+ Google Workspace that do not have strong application assignment or RBAC provisioning capabilities and 18,000+ Okta customer organizations that have complex application and group rules or struggle with automated granular roles and permissions for baseline/birthright and job-role entitlement application access.

If you are an administrator at your organization for an enterprise SSO (Microsoft Entra ID, Okta, Ping Identity, etc.), or one of the teams that reports to you is, then Access Control is designed to help solve the granular role-based access control challenges that your organization may be facing.

Most of the organizations that we help are between 500 to 5,000 users that have dozens or hundreds of SaaS tech stack applications and are already using enterprise SSO and are having growing pains with one or more of the following:

  1. manually approving and assigning users to applications and groups
  2. manually managing baseline or job-role entitlement application access provisioning
  3. addressing audit and compliance concerns with just-in-time access or least privilege

Who Is It Not For

  • Microsoft Ecosystem: If your organization uses Microsoft technologies predominantly including Active Directory or Entra ID (formerly Azure Active Directory), then there are many tools and vendors in the industry to help you administer and enforce policies for applications, policies, and group membership. Access Control is intentionally not built to integrate with the Microsoft ecosystem. We are focused on helping organizations using Google Workspace and/or Okta.

  • Simple Structure: If you have a small handful of departments and a few dozen users, then Access Control is overkill. Your needs may be met with managing Google Group members or Okta group members manually or with Terraform.

  • Limited Hiring: Access Control is designed to handle HR, IT, and Security operations that handle onboarding and offboarding on a frequent basis (at least several per month, up to hundreds each week).

  • On-Premise Applications: If your organization hosts applications on your own server infrastructure that is not accessible from the Internet, or that do not have easily accessible Rest API endpoints, then Access Control is not designed to help you.

  • Government and Healthcare Regulated Organizations: We build around common compliance framework controls including ISO 27001, NIST 800-*, SOC1, SOC2, and SOX. For heavily regulated organizations with government, healthcare, or public sector compliance requirements, Access Control is not designed to help you.

  • Organizations Larger than 10,000 Users: If your organization has more than 10,000 users, then you likely have a lot of complex needs that require in-house development teams to build custom solutions for. Access Control can technically scale to tens of thousands of users without a problem, however our ability to support the complex enterprise needs of your organization is limited and it’s the wrong tool for the job. Our design philosophy focuses on 70% built-in, 20% flexibility with database rows or configuration variables, and 10% gap that we can never fill. Many organizations larger than 10,000 users are looking for 30%-50% built in with the ability to hire Professional Services to write additional code to meet their needs. Access Control built for turn key usage and is not designed for that level of customization on a per customer basis and you will be better served by looking at SailPoint or Saviynt.