Appearance
Access Control Policy
Status: Active. Last updated April 12, 2026. Purpose: SOC 2 evidence for CC6.1 (Logical Access), CC6.2 (Credentials), CC6.3 (Access Removal)
Principle of Least Privilege
Every account, user, and service credential is granted the minimum access necessary for its function. No shared credentials. No persistent admin sessions.
Atlas Admin Access
| Person | Atlas Role | MFA | Date Granted | Granted By |
|---|---|---|---|---|
| Taha Abbasi | Organization Owner | Yes | April 12, 2026 | Initial setup |
MFA Requirement: All Atlas organization members must have MFA enabled. No exceptions.
Database Users
Bootstrap Admin (Active)
| User | Role | Scope | Purpose | Created |
|---|---|---|---|---|
atlas-admin-taha | atlasAdmin | Cluster-wide | Initial setup, schema creation, data loading | April 12, 2026 |
Scoped Service Users (Pending Creation)
These users will be created in Atlas UI now that Phase 1 collections exist. Each is scoped to the minimum required permissions.
| User | Access Level | Collections | Purpose |
|---|---|---|---|
app-read | Read-only | plan_years, plans, regions, zip_county | API server queries |
app-write | Read-write | All Phase 1 collections | Data ingestion scripts |
audit-write | Insert-only | audit_log | API audit trail |
Important: app-read cannot read audit_log. audit-write can only insert, never read or delete.
Network Access
| Type | Value | Purpose | Added | Expiry |
|---|---|---|---|---|
| IP Allowlist | 0.0.0.0/0 | Development (temporary) | April 12, 2026 | Remove before production |
Production plan: Replace 0.0.0.0/0 with VPC peering to AWS ECS. No public network access in production.
Credential Management
Storage
| Environment | Method | Location |
|---|---|---|
| Development | Environment variable | .env.local (gitignored) |
| Production | Secrets manager | AWS Secrets Manager (future) |
Never committed to source control. .env.example contains placeholders only.
Rotation Schedule
| Credential Type | Rotation Frequency | Responsible |
|---|---|---|
| Atlas admin password | Quarterly | Taha Abbasi |
app-read password | Quarterly | Taha Abbasi |
app-write password | Quarterly | Taha Abbasi |
audit-write password | Quarterly | Taha Abbasi |
| CMS API key | Annual (or on compromise) | Taha Abbasi |
Rotation Process
- Generate new credential in Atlas UI / service provider
- Update
.env.local(development) and Secrets Manager (production) - Verify application connectivity with new credential
- Invalidate old credential
- Document rotation date in this file
Access Grant Process (Onboarding)
- New team member requests access with specific justification
- Owner reviews and determines minimum necessary role
- Account created with scoped permissions
- MFA enrolled and verified before access is granted
- Access documented in this file
- Git commit records the change
Access Revocation Process (Offboarding)
- Remove user from Atlas organization immediately
- Remove user from all service accounts (GitHub, Vercel, etc.)
- Rotate any credentials the person had direct access to
- Remove their IP from Atlas network allowlist
- Update this document
- Git commit records the revocation
SOC 2 Control Mapping
| Control | Evidence |
|---|---|
| CC6.1 (Logical Access) | Role definitions, user-to-permission mapping, least privilege principle |
| CC6.2 (Credentials) | Credential storage policy, rotation schedule, no shared credentials |
| CC6.3 (Access Removal) | Offboarding process with immediate revocation + credential rotation |
| CC6.6 (System Boundaries) | Network access policy, VPC peering plan |
Change Log
| Date | Change | By |
|---|---|---|
| April 12, 2026 | Initial Atlas setup, bootstrap admin created | Taha Abbasi |
| April 12, 2026 | Development IP allowlist set to 0.0.0.0/0 (temporary) | Taha Abbasi |
| April 12, 2026 | Phase 1 collections + indexes created | Taha Abbasi |