Microtec DevOps

Appearance

Access Matrix

Role-based access control reference for the Microtec ERP platform.

Process: All access requests go through your team lead → Azure DevOps admin
Principle: Least privilege — request only what you need for your role
Review cycle: Access is audited quarterly

Role Definitions

RoleDescription
Backend Dev.NET developer working on ERP/BO backend services
Frontend DevAngular developer working on MFE apps
Mobile DevFlutter developer working on BoMobileApp, ERPMobileApps, VanSalesMobileApp
DevOpsPlatform/infrastructure engineer
ArchitectTechnical lead, system design decisions
QATest engineer, manual and automated testing
ManagerEngineering manager, non-technical oversight

Azure Portal Access

Resource GroupBackend DevFrontend DevMobile DevDevOpsArchitectQAManager
mic-erp-be-dev-*ReaderOwnerReaderReader
mic-erp-be-stage-*OwnerReaderReader
mic-erp-be-preprod-*OwnerReader
mic-erp-be-prod-*OwnerReader
mic-erp-fr-dev-*ReaderOwnerReaderReader
mic-erp-fr-stage-*OwnerReaderReader
mic-backend-shared-sql-rgContributorReader
All environmentsReaderReader

Reader = view resources and logs, cannot make changes
Contributor = deploy and configure resources, cannot manage IAM
Owner = full access including IAM management

Azure DevOps Access

ResourceBackend DevFrontend DevMobile DevDevOpsArchitectQAManager
Repos (all)ContributorContributorContributorAdminAdminReaderReader
Pipelines — runYesYes (frontend only)Yes (mobile only)YesYesYes (test pipelines)
Pipelines — editYesYes
Pipeline — prod deployYes (with approval)Yes (with approval)
BoardsContributorContributorContributorContributorAdminContributorAdmin
Artifacts (NuGet)ReadRead+WriteRead+Write
Test PlansAdmin

Azure Container Registry (ACR)

ACRBackend DevFrontend DevDevOpsArchitectQA
micerpbedevacr (dev)PullPush+PullPull
micerpbestageacr (stage)Push+PullPullPull
micerpbeproductionacr (prod)Push+Pull
micerpfrdevacr (frontend dev)PullPush+PullPull
micerpfrstageacr (frontend stage)Push+PullPullPull

SQL Server VM

Access is via SSH and SQL authentication. The SQL VM is in mic-backend-shared-sql-rg.

Access TypeBackend DevFrontend DevDevOpsArchitectDBA
SSH (22)Yes (mic-shared-sql)Yes
SQL Server (1433)Dev DB onlyAll DBsRead-only (all)All DBs
SQL AgentYesYes
sysadmin roleYes

SSH key for SQL VM: ~/.ssh/mic-shared-sql
SSH user: sqladmin
Host: 20.50.120.95 (via VPN)

Azure Key Vault

Key VaultBackend DevDevOpsArchitectSecurity
mic-erp-be-dev-skvGet secrets (dev only)Full accessList+GetAudit only
mic-erp-stg-kvFull accessListAudit only
mic-erp-be-preprod-skvFull accessAudit only
mic-erp-uat-kvFull accessAudit only
Production KVFull access (with MFA)Audit only

[WARNING] Production Key Vault access requires MFA and is logged. Any access without a linked incident or change ticket is flagged for review.

Keycloak Admin Console

RealmBackend DevFrontend DevDevOpsArchitectQA
microtec (dev)Manage clientsView onlyAdminAdminView users
microtec (stage)AdminViewView users
microtec (prod)Admin (read-mostly)View
businessowner (dev)View onlyAdminAdminView users
master realmAdmin (DevOps lead only)

Seq Logging

EnvironmentBackend DevFrontend DevDevOpsQAManager
Dev Seq (localhost:1234)Full accessReadFull accessRead
Stage SeqFull accessRead
Production SeqFull access

On-Prem Servers

ServerBackend DevDevOpsArchitect
eg-sv-01 (192.168.120.233)SSH
eg-sv-vip (192.168.120.12)SSH + NPM admin
eg-sv-ai (192.168.120.254)SonarQube (read)SSH + adminSonarQube admin
ESXi (192.168.120.207)Admin (DevOps lead only)
Build agentsSSH

VPN required for all on-prem server access.

Monitoring and Alerting

ToolBackend DevFrontend DevDevOpsArchitectManager
App Insights (dev)ReadFullRead
App Insights (stage)FullRead
App Insights (prod)FullReadRead (dashboards)
Alert rulesFull
Action groups (escalation)AdminMember

Requesting Access

Standard request

Submit to your team lead via the internal ticketing system:

Request Type: Access Grant
System: [Azure DevOps / Azure Portal / SQL Server / Keycloak / ...]
Environment: [dev / stage / preprod / uat / prod]
Role: [your role]
Justification: [brief explanation]
Duration: [permanent / temporary (specify dates)]
Approver: [team lead name]

Elevated access (stage/prod)

Production access requests require:

  • Team lead approval
  • Engineering manager approval
  • Security team notification
  • Time-limited grant (max 30 days) with mandatory review

Emergency access (P0 incident)

For P0 incidents, temporary elevated access can be granted by the on-call DevOps lead without standard approval flow. All emergency access grants must be reviewed and either converted to standard access or revoked within 48 hours of incident resolution.

Access Revocation

Access is automatically reviewed and revoked when:

  • Team member leaves the company (immediate revocation)
  • Role changes (access adjusted within 5 business days)
  • Project involvement ends (access adjusted within 10 business days)
  • Quarterly access audit finds excess permissions

Internal Documentation — Microtec Platform Team