Introduction
Activating Azure B2B to allow 3rd parties access to our GitHub Enterprise environment is a step forward to federated access. Using this tool allows Seagen the opportunity to use outside contracting and 3rd parties to help develop code and publish resources. This new access does require a process and attestation every quarter of the need for teams to continue to use the tooling.
GitHub Enterprise Team Structure
GitHub Enterprise uses what are called Teams to manage and organize their members. Members can be internal to Seagen using SSO to Azure Active Directory or external using Azure B2B for authorization and authentication. When a new contractor or 3rd party wants to access Seagen’s GitHub Enterprise account, they follow the process.
Team member added to GitHub members using their GitHub email (Seagen or other)
Team member email and profile added to Azure B2B
Team member authenticates to GitHub via Azure B2B authentication
Team is assigned to one or more repositories based on their domain context
Attestation Process
Attestation means that we verify if a user or team member really needs access to a resource in GitHub Enterprise. This will be accomplished via several means. When a team member is no longer used, they are inactivated on Azure B2B. These notifications come through in various ways.
Project teams
Initiative teams
Individual business units
Partner funded initiatives like Microsoft ECIF or Google Funding
Contracting and removal of partners from the approved list
Every quarter, Software Engineering will verify with the various groups above of who should or should not be included in having access to GitHub Enterprise. In some cases it will be weekly changes to the access due to resources rolling in and out of the process.
Identity and Access Management will be notified of the changes.
Conclusion
It is the responsibility of all teams and units in Seagen to notify IAM of changes to the teams and members.