Evidence Requests
Access Request Matrix
Use the access request matrix to request the minimum access needed for discovery and implementation. Start read-only, then request privileged access only for specific tasks.
Access levels
| Level | Use |
|---|---|
| Read-only | Discovery, inventory, evidence review, and dashboards. |
| Operator | Running approved diagnostics or non-destructive actions. |
| Deployer | Triggering deployments, rollbacks, or environment changes. |
| Admin | Managing platform configuration, identity, or policy. |
| Break-glass | Emergency access with approval, logging, and review. |
Common access requests
| System | Discovery access | Implementation access |
|---|---|---|
| Source control | Read repositories and pull requests | Branch and pull request permissions |
| CI/CD | Read pipeline history and configs | Trigger approved workflows |
| Cloud | Read inventory, IAM, logs, and costs | Scoped IaC or deployment roles |
| Observability | Read dashboards, logs, traces, alerts | Update dashboards and alert rules |
| Secrets | Review metadata and access patterns | Scoped secret creation or rotation |
| Incident tooling | Read incidents and postmortems | Create or update incident records |
Request guidance
- Tie every request to a task or deliverable.
- Prefer groups or roles over individual grants.
- Use time-bound access for implementation.
- Avoid shared accounts.
- Record approval and expiry.
- Revoke consulting access during closeout.
Watchouts
- Discovery can often proceed with read-only access.
- Admin access should not be the default workaround for unclear roles.
- Screenshots are not a substitute for access to systems of record.