After you connect a Version Control system to Drata, Drata will sync and auto-match accounts to a personnel (except for Bitbucket and AWS Code Commit). You can also manually link personnels to synced version control accounts and verify the access levels of each account within your company’s version control system.

Drata has read-only access to your company’s version control system. The actions you take following this article on Drata’s ‘Version Control Accounts’ page does not change permissions or access levels on your company's version control system.

The version control system is integrated to let Drata know what the users should have access to. Drata's daily, automated tests will confirm and collect evidence for future audits. If unauthorized access is detected, your team will be alerted automatically.

Remember, Drata is only provided with Read-Only access to your company's systems. The toggles on this page are not changing any permissions or access levels on your actual version control system. They're only telling Drata what the user should have access to.

1. Select "Connections'' on the side navigation menu.

2. Search for your active version control connection and select ‘Manage Accounts’. The following image is an example when GitHub is the version control connection. Go to your version control connection to select ‘Manage Accounts’.

Note: If you do not see any connections under the Active connections tab, go to Available connections to connect to a version control connection.

3. View all of your synced version control accounts in the Version Control Accounts page.

When new version control accounts are synced, Drata attempts to find a match to a personnel, by matching between personnel’s details coming from HRIS (such as name and email) and version control account details (such as username, name, and email). If no match is found, that account remains unlinked.

You can always update, add, or remove linked version control accounts. To do so, select the dropdown in the Personnel column and begin entering the name of the personnel.

To verify that the user is linked, a link icon should appear under the Status column.

In the following sections, learn more about the following columns in the table: Access Revoked, Write Access, Merge to Default Branch, Has MFA, and Settings Gear.

Access Revoked column indicates the timestamp of a removal of an account. The account is not removed from Drata. This is important as it creates an audit trail, allowing for tracking of access control SLAs.

Note: It can take up to 24 hours for Drata to update. This is due to the connection API.

The Write Access column indicates what level of write access the user should have.

By default, the column indicates that users do not have write access; the toggle is off. Verify each user's access and toggle on () if a user is supposed to have write access.

Note: If the user has write access to one or multiple repositories in your connected version control account, ensure to toggle on in the column.

The Merge to Default Branch column indicates if the user should have the authority to push code to your production application.

By default, the column indicates that users do not have write access; the toggle is off. Verify each user's access and toggle on () if a user should have the authority to push code to your production application. Updating the toggles does not change or update your version control tool.

Note: If the user has merge to default branch access to one or multiple repositories in your connected version control account, ensure to toggle on in the column.

The Has MFA column is automated and pulls information from the version control tool. It's important that your personnel have MFA enabled for security and compliance.

The last column has a Gear icon.

Hover over the icon to view tooltip with a "Make Out of Scope (Ignore)." message. Select the gear for version control users that are not actual real people at your company, but instead are accounts meant for conducting specific services automatically. When you select the icon, a modal appears. The following image showcases the modal.

You'll be prompted to provide the business rationale for having an account that is not unique to any individual at your company. Inputting this information here will save you time during your next audit. This action also makes this record appear with the link icon in the far left column, and will help avoid test failures for this record.

Learn more about how identity sync updates are made in Drata in connection to your version control system and how accounts are revoked.

Future iterations of this page can include the ability to conduct and record evidence of formal system access control reviews. Automatic alerts can be sent to appropriate individuals on a regular cadence to conduct these reviews in an efficient way.

Have ideas or feedback for our product team? Please never hesitate to reach us!