Appendix B — User Provisioning & Role-Based Access Guide

Last Updated: February 2025
Maintained By: IT Department
Companion File: OASIS_User_Provisioning_Matrix.xlsx

Overview #

This appendix defines the role-based system access requirements for all OASIS Open staff positions. It serves as the authoritative reference for IT and department leads when provisioning new employee accounts during the onboarding process. All system provisioning is initiated by IT unless otherwise noted. Certain systems require approval from the designated system owner (e.g., CFO for financial systems, Technical Committee/Open Project Administrators (TC/OP) for standards operations tools) before IT can provision access. IT functions as the administrative backup for all systems and maintains Admin access across the board to ensure continuity of operations.

Defined Roles #

CFO: Executive financial oversight. Admin access to financial and CRM systems. Admin access to Zoom for managing accounting billing operations. Approves access to Salesforce, Higher Logic, and Expensify.
Accounting: Day-to-day financial operations. Standard access to financial systems and expense management.
IT: Technology infrastructure and system administration. Admin access to ALL systems across the organization. Functions as administrative backup for every platform. Primary provisioning role for onboarding.
BizDev: Business development, member engagement, outreach, and growth initiatives. Admin access to Salesforce for pipeline and relationship management. Standard access to other core platforms.
Technical Committee/Open Project Administrators (TC/OP): Manages Technical Committee assignments, working groups, and standards operations. Admin access to Salesforce, GitHub, Groups.IO, Higher Logic, and TC Working Groups. Primary provisioner for GitHub and Groups.IO. Does not perform hands-on technical work.
Marketing: Communications, content, and brand management. Standard access to core platforms and CRM tools.

Access Level Definitions #

Admin: Full administrative access including system configuration, user management, and settings modification. Reserved for system owners, IT (all systems), and designated role leads.
Standard: Normal operational access for day-to-day use of the system. Appropriate for most staff in their functional area.
Read-Only: View-only access with no ability to edit, create, or delete records. Used when a role needs visibility but not operational control.

Key Access Policies #

IT Admin Backup: IT holds Admin access to every system in the organization to ensure continuity of operations, disaster recovery capability, and the ability to support any system owner when needed.
Salesforce Admin Distribution: Salesforce Admin access is granted to CFO, BizDev, Technical Committee/Open Project Administrators (TC/OP), and IT. This broad admin footprint reflects the cross-functional nature of CRM operations at OASIS.
Technical Committee/Open Project Administrators (TC/OP) Provisioning Authority: GitHub and Groups.IO (Open Projects) are primarily provisioned and managed by Technical Committee/Open Project Administrators (TC/OP)s. IT serves as the admin backup but day-to-day management is owned by the Technical Committee/Open Project Administrators (TC/OP).
CFO Zoom Admin: CFO holds Admin access to Zoom specifically to manage billing for accounting operations and address Zoom billing failures.

System Provisioning Details #

Core Platforms (All Staff) #

System	Owner	Provisioning Notes
Corporate Email	IT	Provision email account in organizational directory. Add to role-appropriate distribution lists and shared calendars. Standard access for all roles; IT holds admin.
OASIS Shared Drive	IT	Create user account and assign folder-level permissions based on department. Ensure appropriate read/write access to shared team folders.
1Password	IT	Create account and assign to team-specific vaults. Ensure new hire receives onboarding vault with initial credentials for other systems.
Slack	IT	Create account and add to organization-wide channels plus role-specific channels. Set appropriate notification defaults.
Zoom	IT	Assign license (Basic or Pro) based on meeting hosting requirements. CFO receives Admin access to manage Zoom billing. Configure SSO if applicable.

Business & CRM Systems #

System	Owner	Provisioning Notes
Salesforce	CFO	CFO approves access level and profile assignment. IT provisions account. CFO, BizDev, Technical Committee/Open Project Administrators (TC/OP), and IT all receive Admin. Accounting and Marketing receive Standard.
Higher Logic	CFO / Technical Committee/Open Project Administrators (TC/OP)	Used for member community management. CFO and Technical Committee/Open Project Administrators (TC/OP) share admin ownership. IT holds Admin as backup. Provision based on whether the role interacts with membership communities or committees.
Expensify	CFO	CFO approves policy group assignment. Connect to appropriate approval workflows. Not required for Technical Committee/Open Project Administrators (TC/OP) role.

Technical & Standards Operations #

System	Owner	Provisioning Notes
TC Working Groups	Technical Committee/Open Project Administrators (TC/OP)	Technical Committee/Open Project Administrators (TC/OP) manages all committee and working group assignments. Exclusive to Technical Committee/Open Project Administrators (TC/OP) (Admin) and IT (Admin backup).
GitHub	Technical Committee/Open Project Administrators (TC/OP)	Primarily provisioned and managed by Technical Committee/Open Project Administrators (TC/OP)s. Technical Committee/Open Project Administrators (TC/OP) holds Admin and determines repository access and team membership. IT holds Admin as organizational backup.
Groups.IO (Open Projects)	Technical Committee/Open Project Administrators (TC/OP)	Primarily provisioned and managed by Technical Committee/Open Project Administrators (TC/OP)s for specific Open Project needs. Technical Committee/Open Project Administrators (TC/OP) holds Admin. IT holds Admin as organizational backup.

IT Infrastructure (IT-Only Access) #

System	Owner	Provisioning Notes
Jira / Atlassian	IT	IT-only system for internal project management and issue tracking.
WP Engine (Website)	IT	IT-only system for website hosting management.
Rackspace (Servers)	IT	IT-only system for server infrastructure management. Highly restricted.
DirectNIC (Domains)	IT	IT-only system for domain registration and DNS management.
Subdomains	IT	Subdomains provisioned as needed for new projects, committees, or organizational initiatives.
SSL Certificates	IT	Certificate lifecycle management including issuance, renewal, and revocation.

Provisioning Workflow #

HR notifies IT of new hire with role, title, start date, and reporting manager.
IT references this document to identify all required systems for the assigned role.
IT provisions all Core Platform accounts (Email, Shared Drive, 1Password, Slack, Zoom) with appropriate access levels.
IT contacts system owners (CFO, Technical Committee/Open Project Administrators (TC/OP)) for approval on role-specific systems.
Upon owner approval, IT provisions remaining system accounts at the specified access level.
For GitHub and Groups.IO, IT coordinates with Technical Committee/Open Project Administrators (TC/OP) who handles primary provisioning; IT configures admin backup access.
IT completes the Provisioning Checklist (see companion spreadsheet) and files with HR.
IT schedules a 30-minute onboarding walkthrough with the new hire to review system access and credentials.

Offboarding & Access Revocation #

HR notifies IT of departure date and any immediate access concerns.
IT disables all Core Platform accounts on or before the last day of employment.
IT notifies system owners (CFO, Technical Committee/Open Project Administrators (TC/OP)) to revoke role-specific access.
Technical Committee/Open Project Administrators (TC/OP) revokes GitHub and Groups.IO access directly; IT confirms removal.
IT archives email and shared drive data per retention policy.
IT removes 1Password vault access and rotates any shared credentials.
IT completes deprovisioning checklist and files with HR.