II

Single Source of Truth

One place to look. One place to change. One place to trust.

The Principle

There must be one authoritative record of access state: the configuration repository. Not the identity provider's database. Not the cloud console. Not a spreadsheet maintained by IT. Not a wiki page updated quarterly. The repository. When the repository and a downstream system disagree, the repository is correct. The system must be reconciled.

What This Eliminates

Organizations with more than fifty people tend to have at least one “access spreadsheet”: a document listing who has access to what, maintained by someone who tries their best but is always behind. This artifact exists because the real state is scattered across dozens of admin consoles and there is no single place to see it all.

A configuration repository makes this artifact unnecessary. The current state of the configuration files IS the access documentation. It is correct by construction, because it is the input to the automation that enforces it.

The Cultural Shift

This principle has a corollary that some will find uncomfortable: changes made outside the repository are not legitimate. An admin who grants access directly in a console is creating drift, not solving a problem. The system will detect this deviation and flag it. This is intentional. The value of a single source of truth comes from its exclusivity: the moment you allow two sources of truth, you have none.

The Recursive Question

Who has write access to the configuration repository itself? Who can merge changes to role definitions? This is the self-referential problem that meta-systems face. The answer is necessarily pragmatic: a small set of platform or security engineers bootstrap the repo's access controls through a separate mechanism: typically platform-native permissions on the git hosting provider, potentially enforced by branch protection rules and required reviews. This bootstrapping layer is small, visible, and auditable. It is not a contradiction of the model; it is the foundation it stands on. The system that manages all other access has its own access managed deliberately, minimally, and with full awareness of the recursion.

Antipatterns

  • Multiple systems claim to be authoritative and their answers conflict.
  • An access spreadsheet exists because no single system shows the full picture.
  • Admins grant access directly in consoles and the system does not detect it.
  • No one can say who has write access to the access configuration itself.