Profile Applicability:
Level 1
Description:
The ability to create new teams within the organization’s collaboration or version control platform must be restricted to designated members only. Limiting team creation helps maintain organized group structures, enforces governance policies, and prevents unauthorized or unnecessary team proliferation.
Rationale:
Controlling team creation reduces administrative overhead, minimizes the risk of misconfigured permissions or access rights, and supports compliance with organizational policies. It ensures that teams are created with appropriate oversight and purpose, maintaining security and operational efficiency.
Impact:
Pros:
Prevents uncontrolled growth of teams and access groups.
Enhances governance and oversight.
Reduces potential for misconfiguration and privilege escalation.
Supports compliance with access management policies.
Cons:
May slow down team creation processes if too restrictive.
Requires clear delegation and role management.
Default value:
By default, some platforms may allow all users or broad groups to create teams, increasing risk.
Audit:
Review platform permission settings to verify who can create teams. Check logs for team creation activities and ensure they align with authorized personnel.
Remediation:
Configure role-based access controls (RBAC) to limit team creation rights. Communicate policies to users and provide request workflows for new teams. Regularly audit and review team structures and creation permissions.
References:
GitHub Organization Permissions: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles
GitLab Group Management: https://docs.gitlab.com/ee/user/group/permissions.html
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/