- handbook
- Company
- Company
- Board & Investors
- Communications
- Decision making and project management
- Guides
- principles
- Remote Work
- Security
- Business Continuity & Disaster Recovery Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Incident Response Plan
- Cryptography Policy
- Secure Development Policy
- Information Security Policy and Acceptable Use Policy
- Data Management Policy
- Hardware Security Policy
- Access Control Policy
- Asset Management Policy
- strategy
- values
- Operations
- Product
- Blueprints
- Feedback
- Glossary
- Market Segments
- Metrics
- Node-RED Dashboard
- Personas
- Pricing Principles
- Principles
- Product Growth
- Strategy
- Versioning
- Engineering & Design Practices
- Design
- Engineering
- Contributing
- Front End
- Packaging Guidelines
- Platform Ops
- Incident Response
- Observability
- FlowFuse Dedicated
- Staging Environment
- Production Environment
- Deployment
- Update Stacks on Production
- Self Hosted Assistant
- Project Management
- Releases
- Security Policy
- Support
- tools
- Website A/B Testing
- Internal Operations
- People Ops
- Coaching Plans
- Code of Conduct
- Compensation
- Expenses
- Hiring
- Holiday & Leave
- Job Descriptions
- CEO
- CTO
- Account Executive
- Product Marketer
- Dashboard Engineer
- Engineering Manager
- Solutions Engineer
- VP of Sales
- Developer Relations Advocate
- Chief of Staff
- Product Manager
- PeopleOps Policies
- Performance review
- Summit
- Marketing department
- Marketing
- blog
- Brand Voice
- Community
- Company Messaging
- Customer Stories
- Events
- FlowFuse for Education
- How we work
- Lead Activation
- Lead Generation
- Marketing - Website
- Marketing Programs
- Social Media
- Video
- Webinars
- Sales department
- Sales
Access Control Policy
| Policy owner | Effective date |
|---|---|
| @knolleary | 2023-05-01 |
Purpose
This policy describes how FlowFuse controls access to information and systems. Its purpose is to ensure only authorized parties can access data and systems in line with business objectives.
Scope
This policy applies to all FlowFuse systems that handle confidential data. The Data Management Policy defines what counts as confidential data.
It also applies to all FlowFuse employees and to any external partners who have access to FlowFuse systems or resources.
Access Control Policy
-
Protect all computing resources—such as servers, user devices, network equipment, services, and applications—with strong authentication, authorization, and auditing.
-
Each user must use their own unique account for interactive access. Accounts must not be shared.
-
Enforce industry best practices for passwords, service accounts, and access keys, including requirements for length, complexity, and rotation. See the Password Policy for details.
-
Require the use of strong passwords and multi-factor authentication (MFA) wherever supported.
-
Require MFA for all critical systems and resources, including all production environments.
-
Remove unused accounts, passwords, and access keys within 30 days.
-
Assign unique access keys or service accounts for each application or system process.
-
Configure authenticated sessions to time out after a defined period of inactivity.
How to Request Access or Permission to a System
How to Request Access or Permissions
To request access or permissions (for example: AWS, GitHub, or HubSpot), open an Access Request issue in the admin repository.
Access Authorization and Termination
-
Use role-based access control (RBAC) or a similar method to manage access permissions.
-
Provision standard access during employee onboarding based on the user’s job role. All additional access requests must be approved by the requester’s manager before access is granted.
-
Require CTO approval for access to critical resources, including production environments.
-
Review access on a regular basis and revoke permissions when they are no longer needed.
-
Revoke all system access and disable accounts within 24 hours (one business day) after employment ends.
-
Review all user access at least annually and whenever a user’s job role changes.
Shared Secrets Management
-
Minimize the use of shared credentials and allow them only as an approved exception.
-
When shared credentials are required, store and share them securely using the company-provided password manager, 1Password.
-
Support any shared access to critical systems with a method that uniquely identifies the individual user.
Privileged Access Management
-
Prevent direct login to systems using privileged accounts.
- A privileged account provides administrative access to critical systems, such as an Active Directory Domain Administrator, a root user on a Linux or Unix system, or an Administrator or Root User on an AWS account.
-
Require privileged access to be obtained only through a proxy or equivalent mechanism that uses strong authentication (such as MFA), a unique individual account, and full auditing of user activity.
-
Keep direct administrative access to production systems to an absolute minimum.
Access to Source Code
Develop source code in the open by default. Restrict access only when required for business reasons. Grant access to private repositories based on business need and job role.
Password Policy
Enforce industry best practices for passwords and configure systems to support these requirements wherever possible.
- Use a minimum password length of 8 characters with a mix of letters, numbers, symbols, and cases.
- Do not reuse passwords across different systems.
- Store passwords only in the company-provided password vault, 1Password.
Programmaticaly Accessible Resources
When programmatic access to resources is required, the following guidelines must be followed:
Programmatically Accessible Resources
When programmatic access is required, follow these guidelines:
- Use API keys or access tokens instead of username and password combinations.
- Avoid sharing secrets across environments unless required for operational reasons.
- Store all secrets securely in 1Password and never share them in plaintext.
- Rotate secrets on a regular basis—at least annually—and follow internal guidelines for rotation.
- Apply the principle of least privilege by granting only the access required for the application to function.
- Do not hardcode secrets in source code.
This policy is adapted from the following sources: