Skip to content
  • nomenclature
  • reference
  • examples

Worked Examples

These examples walk through complete scenarios — from inputs to actions to outputs. Use them as templates for similar situations.

Onboard a W-2 Employee

Section titled “Onboard a W-2 Employee”

Scenario: New hire joining the Engineering team.

Actions

Section titled “Actions”
  1. Create user in /w2/w2-probation.
  2. Add to roster: prv-org-people-w2-active.
  3. Add to team: prv-eng-team-apps.
  4. Subscribe to mail lists:
    • prv-team-mail-announce
    • prv-team-mail-all-staff
    • prv-team-mail-eng-updates
  5. Grant roles (as approved):
    • prv-eng-role-gl-developer (90 days, renewable)
    • prv-eng-role-aws-idc-dev-developer (90 days)
  6. After onboarding complete: Promote from /w2/w2-probation to /w2/w2-active.

Artifacts

Section titled “Artifacts”
  • Ticket with approvals
  • GAM output showing group additions
  • Role grant with expiry date

Create a New Customer Engagement

Section titled “Create a New Customer Engagement”

Scenario: New customer “Slope Clinical” (slug: slope), first project “Modernization” (slug: mod).

Actions

Section titled “Actions”

  1. Create umbrella groups:

    • prv-ops-cus-slope-prosrv
    • prv-ops-cus-slope-sales
    • prv-ops-cus-slope-cpoc
    • prv-ops-cus-slope-announce

  2. Provision drives:

    • EXT_PRV_Customers-SlopeClinical_COLLAB_Active_Private
    • INT_PRV_Customers-SlopeClinical_TEAM_Active_Private
    • INT_PRV_Customers-SlopeClinical_STRICT_Active_Confidential

  3. Create project triplet:

    • prv-eng-prj-slope-mod-dri
    • prv-eng-prj-slope-mod-delivery
    • prv-eng-prj-slope-mod-client

  4. Create project folders in each drive:

    01_slope_mod/
      00_preengagement/
      01_kickoff/
      02_discovery/
      03_delivery/
      ...

  5. Set ACLs:

    • COLLAB: ...-mod-dri (Editor), ...-mod-delivery (Commenter), ...-mod-client (Commenter)
    • TEAM: ...-mod-dri (Editor), ...-mod-delivery (Editor)
    • STRICT: ...-mod-dri (Editor) only

Set Up Security Alerting Pipeline

Section titled “Set Up Security Alerting Pipeline”

Scenario: 1Password breach alerts need to reach on-call security engineers.

Actions

Section titled “Actions”

  1. Create intake: prv-sec-intake-op-events

    • Allowlist: 1Password sender addresses
    • Subject prefix: [OP]
    • Archive-only (no human subscribers)

  2. Create alerts: prv-sec-alerts-op-breach

    • Members: on-call security engineers (max 5)
    • Subject prefix: [OP-CRIT]

Wiring

Section titled “Wiring”
1Password → prv-sec-intake-op-events (all events, archive)
1Password → prv-sec-alerts-op-breach (critical findings → on-call)

Offboard a Contractor

Section titled “Offboard a Contractor”

Scenario: Engineering contractor’s engagement ends.

Actions

Section titled “Actions”
  1. Suspend account. Move to /contractors/contractors-engineering-offboarded.
  2. Remove from all Role groups:
    • prv-eng-role-gl-developer
    • prv-eng-role-aws-idc-dev-developer
    • Any project-specific roles
  3. Remove from Team: prv-eng-team-apps.
  4. Move to offboarded roster: prv-org-people-contractors-eng-offboarded.
  5. Transfer content ownership (Drive files).
  6. Remove from all mail lists.
  7. License to zero.
  8. Retain Vault holds per contract.

Temporary Zoom Host Role

Section titled “Temporary Zoom Host Role”

Scenario: Marketing needs temporary Zoom webinar host access for an event.

Actions

Section titled “Actions”
  1. Grant role: Add marketing team member to prv-mktg-role-zm-producer.
  2. Set expiry: 14 days (event + buffer).
  3. Document: Ticket with justification, approver, expiry date.
  4. After event: Role auto-expires or manual removal.
  5. Evidence: Log grant/revoke in ticket.

Platform Admin Account Setup

Section titled “Platform Admin Account Setup”

Scenario: Setting up the shared AWS admin identity.

Actions

Section titled “Actions”
  1. Create account: prv-plt-admin-aws@{domain}.
  2. Display name: [ PRV ] PLT Admin – AWS.
  3. Place in OU: /automation-accounts/automation-accounts-active.
  4. Store credentials: Root password + MFA in 1Password vault with restricted access.
  5. Create owner group: prv-plt-auto-owners-aws with 2+ PLT engineers.
  6. Document: Scopes, access procedure, emergency-use-only policy.
  7. Schedule: Quarterly credential rotation + access review.

Quarterly Review Process

Section titled “Quarterly Review Process”

Scenario: Quarterly controls review.

Checklist

Section titled “Checklist”

  1. Group ownership: Verify every group has >= 2 owners.

    Terminal window
    # Find groups with fewer than 2 owners
    gam print group-members type owner | awk -F',' '{count[$1]++} END{for(g in count) if(count[g]<2) print g}'

  2. External members on TEAM/STRICT: Must be 0.

    Terminal window
    gam print drivefileacls query "name contains '_STRICT_'" | grep -v "@provisionr.com"

  3. Role attestation: All role owners confirm members are still justified.

  4. OAuth/Marketplace: Review allowlists. Remove unused apps.

  5. Breakglass test: Unsuspend → login → scoped task → resuspend → evidence.

  6. Automation scopes: DWD grants still minimal? Keys rotated?

  7. Mail hygiene: Allowlists current? Moderation queues clear?