Owner: Multibook, Inc. · Version 1.0 · Reviewed annually.
Purpose & scope
Defines how special-purpose, high-privilege access to ANTE’s production estate (servers, OS, databases, cloud consoles) is granted, authenticated, used, logged, and reviewed. Scope: the 5 production droplets (DigitalOcean SGP1), their PostgreSQL databases, the DigitalOcean and Cloudflare control planes, the Vercel project, and the application’s in-app administrative roles.
Principles
- Least privilege — access only to those who need it, at the minimum scope required.
- Named individuals only — no shared logins for human access; every privileged action is attributable to a person.
- Strong authentication — key/identity-based only; no reusable passwords for server or database administration.
- Auditability — privileged operations are logged and reviewable.
Server / OS administration
- Access method: SSH with public-key authentication only. Password and keyboard-interactive authentication are disabled fleet-wide.
- Network path: administrative SSH is reachable only over a private Tailscale (WireGuard) network; public port 22 is closed on every droplet. Tailscale provides identity-based access (SSO-backed, MFA-capable) with per-device authorization and revocation.
- Key holders: privileged SSH access is limited to named Multibook engineers — Guillermo Tabligan (Lead Developer / DevOps Engineer) and Erwin Guevarra (DevOps Engineer); the list is maintained by the Lead Developer / DevOps Engineer.
- Brute-force protection: fail2ban (sshd jail) is active on all droplets as defence-in-depth.
Database administration
PostgreSQL is bound to localhost (127.0.0.1) on each host and is not reachable from the network or internet; only the co-located application and on-host administrators connect. There is no public database endpoint.
Cloud control planes
DigitalOcean, Cloudflare, and Vercel console access is held by the Lead Developer / DevOps Engineer (Guillermo Tabligan), with provider-side MFA enabled where available. API tokens / deploy keys are scoped to the minimum capability required and stored as CI secrets, never committed to the repository.
In-application administrative privilege
- Three-tier model: full-access flag, developer flag, and per-scope RBAC.
- Sensitive operations (payroll posting, journal-entry administration, chart-of-accounts changes) require an additional OTP confirmation.
- All administrative actions are recorded in the append-only audit service (24-month retention).
Logging & attribution
Privileged in-app actions → append-only audit database (24 months). Deployments → GitHub Actions logs (per actor/commit). Server access → SSH/auth logs + Tailscale device logs.
Rotation & annual review
SSH keys and cloud tokens are rotated on personnel change and at least annually; leavers’ keys and devices are revoked immediately on departure. At least once per year the full list of privileged accounts is reviewed, each confirmed still required, and any not required removed; the review date and outcome are recorded.