Skip to content

Quarterly Access Review

Runbook for quarterly review of bench access + permissions. Required for SOC 2 + ISO 27001.

Goal

Confirm that only authorized operators have current bench access, that role assignments match job function, and that stale credentials are revoked. Quarterly cadence.

Prerequisites

  • Admin role (only admin can read full operator roster)
  • 60-min uninterrupted review window
  • Last quarter's review document available for diff

Procedure

Step 1 — Export current operator roster

curl -fsS https://dashboard.tlsstress.art/api/gateway/operators \
  -H "Authorization: Bearer $TLSSTRESS_ADMIN_TOKEN" \
  > operators-$(date +%Y-Q%q).json

jq '.[] | {email, role, last_login, mfa_enabled}' \
  operators-$(date +%Y-Q%q).json | head -40

Step 2 — Diff vs last quarter

diff operators-$(date -v-3m +%Y-Q$(echo $(date +%q) | awk '{print $1-1}')).json \
     operators-$(date +%Y-Q%q).json

Categorize differences: - NEW: confirm onboarding ticket exists in HR + role appropriate - REMOVED: confirm offboarding completed (last_login + vault entries cleared) - ROLE CHANGED: confirm change approved + audit logged

Step 3 — Stale credential check

Flag any operator with last_login > 90 days: 

jq '.[] | select(.last_login_age_days > 90) | .email' \
  operators-$(date +%Y-Q%q).json

For each: confirm role still required. If not → revoke: 

curl -X DELETE https://dashboard.tlsstress.art/api/gateway/operator/<email> \
  -H "Authorization: Bearer $TLSSTRESS_ADMIN_TOKEN"

Step 4 — MFA enrollment check

Flag any operator without MFA: 

jq '.[] | select(.mfa_enabled == false) | .email' \
  operators-$(date +%Y-Q%q).json

Production-tier operators MUST have MFA enabled. Email reminders + revoke if not enabled within 7 days.

Step 5 — Vault credential audit

Per-DUT credential vault — check for orphaned credentials: 

curl -fsS https://dashboard.tlsstress.art/api/vault/audit \
  -H "Authorization: Bearer $TLSSTRESS_ADMIN_TOKEN" \
  > vault-audit-$(date +%Y-Q%q).json

# Find credentials owned by departed operators
jq '.[] | select(.owner_status == "departed") | .credential_id' \
  vault-audit-$(date +%Y-Q%q).json

Rotate any such credential immediately.

Step 6 — RBAC role policy review

Open /admin/gateway/rbac → for each role: - Verify enumerated permissions still match policy - Verify no role escalation paths exist - Document any policy changes since last quarter

Step 7 — Sign + archive

Generate review report: 

# Quarterly Access Review Q$(date +%Q) $(date +%Y)

**Reviewed by**: <admin name>
**Date**: $(date +%Y-%m-%d)
**Period**: $(date -v-3m +%Y-%m) to $(date +%Y-%m)

## Summary
- Total operators: N
- Added: N
- Removed: N
- Role changed: N
- MFA gap: N (remediated)
- Stale (>90d) revoked: N
- Vault credentials rotated: N

## Issues found
- ...

## Signoff
<PGP signature>

Archive to SOC 2 evidence bundle (per soc2-evidence-collection runbook).

Success criteria

  • All operators in roster confirmed authorized
  • All stale credentials revoked
  • All MFA gaps addressed
  • No orphaned vault credentials
  • Review report signed + archived