Monthly Access Review
Frequency: 1st of each month | SLA: Complete within 5 business days
Each monthly GitHub Issue is auto-populated with access findings from access_review.py, which pulls the live workforce roster from Google Workspace (the authoritative directory), maps each user’s orgUnit to expected system access via role-access-map.yaml, and cross-references against collected evidence. Reviewers validate pre-computed findings rather than pulling data manually.
Each review is tracked as a GitHub Issue using the Monthly Access Review template. For the deeper quarterly review (service accounts, API keys, access levels), see the Access Review Procedure.
Process
Section titled “Process”| Step | Action |
|---|---|
| 1. Review findings | Open the auto-populated GitHub Issue. Evidence has already been cross-referenced against the live Google Workspace roster. Review each flagged account. |
| 2. Validate findings | Confirm flagged accounts are truly unauthorized or departed — not a role mapping issue. Update role-access-map.yaml if the org structure changed, or proceed to remediation. |
| 3. Remediate | Revoke unauthorized/departed access using the Remediation Locations table below. Document all actions taken in the GitHub Issue. |
| 4. Verify | Run doppler run -p m7-security -c prd -- python3 automation/scripts/runner.py --mode verify and confirm no new access violations appear. |
| 5. Close issue | Closed issue is the audit evidence for the monthly review. |
Evidence artifacts land in evidence/logs/<system>/YYYY/MM/ — user lists, role assignments, and API key inventories for each system.
Remediation Locations
Section titled “Remediation Locations”| System | Where to Revoke/Modify Access |
|---|---|
| Google Workspace | admin.google.com > Directory > Users |
| GitHub | github.com/orgs/Meridian7-io/people |
| Slack | meridian7.slack.com > Admin > Manage members |
| 1Password | 1password.com > Admin console > People |
| GCP IAM | console.cloud.google.com > IAM > IAM (meridian7-navi project) |
| GCP Cloud Monitoring | console.cloud.google.com > IAM > filter Monitoring roles |
| Supabase | supabase.com > Org settings > Members |
| Doppler | doppler.com > Workplace > People |
| Cloudflare | dash.cloudflare.com > Account > Members |
| CrowdStrike | falcon.crowdstrike.com > Support > User Management |
| Backblaze | secure.backblaze.com > App Keys |
Related Documents
Section titled “Related Documents”Meridian Seven — Confidential