Access management policy - codemagic-ci-cd/company-handbook GitHub Wiki
Date: 4 Dec 2025
Reviewed by: Vladimir Markov
Access Management at Codemagic exists so that sensitive information and customer information is handled safely and with care.
Access Management goal is to control access rights of employees and external collaborators so that they have all necessary access rights required for their job and not unnecessary access to information that is sensitive or rights to make changes that are out of Codemagic change management policy.
Access Management is part of our information security policy to manage risk with people and access.
How is access granted?
- Access is granted individually and not shared.
- Access is granted during onboarding or by requesting it from CTO or CEO.
- When granting access CTO or CEO ensures that person receiving access has passed appropriate security awareness training.
- Access is granted using appropriate tools, if applicable then SSO via Google Workspace accounts, otherwise 1Password, Notion team, Slack invitation
- First-time access link should be generated and sent to
@nevercode.ioor@codemagic.ioemails. If not applicable, a one-time password should be generated and shared with employee using private and secure channels. - Access should not be granted out of policy for example by sharing plain text secrets.
- Access can be modified using th same procedures as in granting access or removing access.
How does authentication work
- Codemagic prefers to use passwordless systems as much as possible. If applicable we enforce two- or multi-factor authentication.
- If passwords are required then Codemagic requires the use of strong passwords and employees are trained to use the 1Password password manager.
Security monitoring
Security is monitored using
- Built-in audit logging tools on Google Workspace, GCP, AWS
- Annual user access reviews
- Documented offboarding/onboarding of employees and contractors.
- Updating inventory and access review on adoption of new tools