...
Group | Content | High-level permissions |
|---|---|---|
Main | Primary resources needed to run | The responsible party (can be Unique or the client, see Responsibilities) mostly works within this resource group if ever. |
Sensitive | All customer data which mainly consists of prompts and files, all the embedding of uploaded files, encryption keys | Unique should have the least possible privilege (and only JIT) of to this group. Actually, no human should have too much access to this, see Automation. |
Audit | Centralised, tamper-safe audit logs of | Unique and their workloads can only one-way emit into this resource group, there is no way to read. Modifications to this resource group should preferably only be made by the client or via Automation. |
Vnet | Networking setup, whereof some limited internet access is needed to pull the content of Release Content https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/436536544 | Naturally most clients prefer to administer this part of the infrastructure themselves as it has a colossal security impact, if Unique should take care of it, the Automation approach is recommended above all manual actions |
Terraform | Store terraform states | Few individuals with a specific role or the Automation should have access to this group as here the state of the whole infrastructure gets saved. |
but no resources that contain data...
| Gliffy | ||||||||
|---|---|---|---|---|---|---|---|---|
|
...