Skip to content
ANTE

Security

Privileged Access Policy

Last updated: 2026-06-22

← All security documents

Owner: Multibook, Inc. · Version 1.0 · Reviewed annually.

Purpose & scope

Defines how special-purpose, high-privilege access to ANTE’s production estate (servers, OS, databases, cloud consoles) is granted, authenticated, used, logged, and reviewed. Scope: the 5 production droplets (DigitalOcean SGP1), their PostgreSQL databases, the DigitalOcean and Cloudflare control planes, the Vercel project, and the application’s in-app administrative roles.

Principles

  • Least privilege — access only to those who need it, at the minimum scope required.
  • Named individuals only — no shared logins for human access; every privileged action is attributable to a person.
  • Strong authentication — key/identity-based only; no reusable passwords for server or database administration.
  • Auditability — privileged operations are logged and reviewable.

Server / OS administration

  • Access method: SSH with public-key authentication only. Password and keyboard-interactive authentication are disabled fleet-wide.
  • Network path: administrative SSH is reachable only over a private Tailscale (WireGuard) network; public port 22 is closed on every droplet. Tailscale provides identity-based access (SSO-backed, MFA-capable) with per-device authorization and revocation.
  • Key holders: privileged SSH access is limited to named Multibook engineers — Guillermo Tabligan (Lead Developer / DevOps Engineer) and Erwin Guevarra (DevOps Engineer); the list is maintained by the Lead Developer / DevOps Engineer.
  • Brute-force protection: fail2ban (sshd jail) is active on all droplets as defence-in-depth.

Database administration

PostgreSQL is bound to localhost (127.0.0.1) on each host and is not reachable from the network or internet; only the co-located application and on-host administrators connect. There is no public database endpoint.

Cloud control planes

DigitalOcean, Cloudflare, and Vercel console access is held by the Lead Developer / DevOps Engineer (Guillermo Tabligan), with provider-side MFA enabled where available. API tokens / deploy keys are scoped to the minimum capability required and stored as CI secrets, never committed to the repository.

In-application administrative privilege

  • Three-tier model: full-access flag, developer flag, and per-scope RBAC.
  • Sensitive operations (payroll posting, journal-entry administration, chart-of-accounts changes) require an additional OTP confirmation.
  • All administrative actions are recorded in the append-only audit service (24-month retention).

Logging & attribution

Privileged in-app actions → append-only audit database (24 months). Deployments → GitHub Actions logs (per actor/commit). Server access → SSH/auth logs + Tailscale device logs.

Rotation & annual review

SSH keys and cloud tokens are rotated on personnel change and at least annually; leavers’ keys and devices are revoked immediately on departure. At least once per year the full list of privileged accounts is reviewed, each confirmed still required, and any not required removed; the review date and outcome are recorded.