Operational mirror: Vanta access reviews ingest the source-of-truth identity data from Rippling and reconcile against this matrix on a continuous basis. Discrepancies are surfaced through Access Reviews.
How to use this matrix
- New hires receive the bundle for their role automatically at provisioning. No ticket needed.
- Role changes trigger a new bundle via the Access Change intake.
- Elevated or non-default access beyond the bundle requires manager + system-owner approval (see Account & Access Requests).
- Material changes to a bundle require CISO approval.
Bundles by role
Employee (baseline) — every workforce member
| System | Access |
|---|---|
| Rippling (IdP / SSO) | User |
| Microsoft 365 — Outlook, SharePoint, OneDrive | User (role-scoped folders) |
| Slack | User (default channels) |
| Linear | Member of own team’s workspace |
| GitHub | Read on neuroscale/compliance-docs |
| Dashlane | User (personal vault + role-scoped shared vaults) |
| HashiCorp Vault | OIDC sign-in (Rippling) only on first auth; no direct token issuance for non-engineering staff |
| Vanta | End-user (training + acknowledgements only) |
| Better Stack | None by default |
Engineering (read/write)
Inherits Employee (baseline) plus:| System | Access |
|---|---|
| GitHub | Member of neuroscale org with team-scoped write |
| Linear | Member of engineering team |
| HashiCorp Vault | Read on team-scoped KV paths; workload-bound auth for service-to-service (AWS / K8s / AppRole / OIDC); no static admin tokens |
| AWS | Console access via SSO; role-based read on production accounts (no production write) |
| Vultr | Sub-account access via SSO; role-based read on production sub-accounts (no production write); no master-account credentials |
| Better Stack | Read on engineering log streams; configure alerts on own services |
Engineering (production)
Inherits Engineering (read/write) plus, after CISO + CTO approval and required training:| System | Access |
|---|---|
| AWS | Production write via break-glass IAM role; deploy permissions per service |
| Vultr | Production write via break-glass sub-account credentials (held by CTO + CISO); deploy permissions per service via short-lived API keys; access to Vultr-hosted Postgres via SSO-authenticated proxy |
| GitHub | Branch-protection bypass for incident response (audited) |
| Better Stack | On-call rotation membership |
| Production database (AWS RDS / Aurora) | Read via SSO-authenticated proxy; write via change-management approved deploys only |
| Production database (Vultr-hosted Postgres) | Read via SSO-authenticated proxy; write via change-management approved deploys only |
Sales / GTM
Inherits Employee (baseline) plus:| System | Access |
|---|---|
| HubSpot | User (role-scoped pipeline) |
| Linear | Member of GTM workspace |
| Customer-facing demo environments | Read |
Customer support
Inherits Employee (baseline) plus:| System | Access |
|---|---|
| Support tooling (intake portal queue) | Agent |
| Linear | Member of Helpdesk team |
| Customer accounts admin (read) | Scoped read for support cases |
Finance / People
Inherits Employee (baseline) plus:| System | Access |
|---|---|
| Rippling HRIS | Admin (HR module — CHRO and delegates only) |
| Finance ledger / invoicing | User |
| Banking portal | Per CFO designation |
| Dashlane | Admin (CHRO + CFO only) |
Sensitive-system access
The following require named, individual approval and never default to a bundle:- AWS root account access — CTO and CISO only; activity reviewed quarterly.
- Vultr master / root account access — CTO and CISO only; activity reviewed quarterly. See the Vultr Root Account Compromise Playbook for emergency-rotation procedure.
- HashiCorp Vault root token — sealed in CISO + CTO Dashlane vaults; break-glass use only, per the Vault break-glass procedure.
- Production database direct write — break-glass only; logged and reviewed per Logging & Monitoring.
- Audit log delete / retention override — CISO only.
- Security tooling admin (Vanta, Dashlane) — CISO and named delegates.
- HRIS admin — CHRO and delegates only.
Quarterly review
This matrix is the input to quarterly Access Reviews. Each system owner certifies that current users in the system match the bundle they are entitled to plus any approved exceptions.Cross-references
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 8, 2026 | Initial version | Cameron Wolfe | Ishan Jadhwani |