In order to implement a policy of least privilege in sourcegraph.com, we need to devise an alternative solution to CEs and AEs needing full site-admin access to manage licenses. These licenses for on-prem customer deployments are currently managed in https://sourcegraph.com/site-admin/dotcom/product/subscriptions.
Ripping out this whole system from the main product is likely a larger effort. Introducing a separate role that allows for license management without full site admin access is likely the best course of action currently. This would be the beginning of introducing more specific roles in our authorization system (i.e. RBAC).
Context
In order to implement a policy of least privilege in sourcegraph.com, we need to devise an alternative solution to CEs and AEs needing full site-admin access to manage licenses. These licenses for on-prem customer deployments are currently managed in https://sourcegraph.com/site-admin/dotcom/product/subscriptions.
Ripping out this whole system from the main product is likely a larger effort. Introducing a separate role that allows for license management without full site admin access is likely the best course of action currently. This would be the beginning of introducing more specific roles in our authorization system (i.e. RBAC).