Skip to content

Commit cbac4a1

Browse files
docs: roles and responsibilities (#585)
* add roles and responsibilities * add platform engineer role * add sponsor role * add application developer * add security and compliance role * format changes * remove draft from page * Update docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/app_developers.md Co-authored-by: Dan Grøndahl <dan@kosli.com> * Update docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/_index.md Co-authored-by: Dan Grøndahl <dan@kosli.com> --------- Co-authored-by: Sofus Albertsen <sofusalbertsen@users.noreply.github.com>
1 parent cea4864 commit cbac4a1

7 files changed

Lines changed: 357 additions & 0 deletions

File tree

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
title: Implementation guide
3+
bookCollapseSection: true
4+
weight: 300
5+
---
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
title: "Phase 1: Initial Discovery"
3+
bookCollapseSection: true
4+
weight: 100
5+
---
Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
---
2+
title: "Roles and Responsibilities"
3+
bookCollapseSection: true
4+
weight: 100
5+
---
6+
7+
# Roles and Responsibilities
8+
9+
Kosli supports multiple stakeholders across engineering, security, and compliance. Successful adoption depends on clear ownership and collaboration across roles.
10+
This guide provides:
11+
12+
- A RACI matrix to define responsibilities per phase
13+
- Role-by-role expectations during rollout
14+
- Links to relevant documentation for each group
15+
16+
## 🔄 Phases of Implementation
17+
18+
1. **Discovery and Planning:** Understand what to track, who is involved, and which flows to start with.
19+
2. **Initial Setup and Pilot:** Configure Kosli for a single service or team. Validate the model and gather feedback.
20+
3. **Rollout and Scale:** Extend flows and policies across teams and services. Standardize and automate.
21+
4. **Governance and Optimization:** Measure success, refine policies, and prepare for audits with real data.
22+
23+
## 👥 Stakeholders
24+
1. [**Platform Engineers and DevOps**]({{< relref "platform_engineers" >}}): Leads technical implementation and pipeline integration
25+
2. [**Application Developer**]({{< relref "app_developers" >}}): Builds code and produces evidence automatically
26+
3. [**Security and Compliance**]({{< relref "security_compliance" >}}): Defines control objectives and verifies evidence
27+
4. [**Sponsors**]({{< relref "sponsors" >}}): Champions adoption, aligns on outcomes, and tracks impact
28+
29+
## 📊 RACI Matrix
30+
31+
The RACI model helps teams and stakeholders know who to talk to, who drives a decision, and who just needs visibility. It’s especially helpful when rolling out tools like Kosli across multiple teams with different priorities and domain focus.
32+
33+
| Task | Platform Engineer | Application Developer | Security & Compliance | Sponsor |
34+
|--------------------------------------|--------------------|-----------------------|-------------------------|---------|
35+
| Identify key flows and services | R | C | C | A |
36+
| Define success criteria and metrics | C | C | C | A |
37+
| Select pilot team/service | R | C | C | A |
38+
| Set up Kosli CLI and pipelines | A | I | C | C |
39+
| Define attestation types | R | C | A | C |
40+
| Configure environment snapshots | A | I | C | C |
41+
| Set up environment policies | R | I | A | C |
42+
| Validate compliance controls | R | C | A | C |
43+
| Export and review audit packages | C | I | A | C |
44+
| Roll out to additional teams | R | C | C | A |
45+
| Track measures of success | R | C | C | A |
46+
47+
- **A - Accountable**
48+
49+
The owner of the outcome. This is the person who ensures the task is completed successfully, even if others do the work. There should only be one "A" per task.
50+
51+
- **R - Responsible**
52+
53+
The doer. This person (or team) performs the work. They are hands-on with the implementation and execution of the task.
54+
55+
- **C - Consulted**
56+
57+
Someone who provides input, guidance, or subject matter expertise. This is a two-way communication role. Their feedback is important for shaping the work.
58+
59+
- **I - Informed**
60+
61+
Kept in the loop. This person doesn't need to be consulted during the task but should be notified of progress or outcomes. It’s a one-way communication role.
62+
63+
## Subpages
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
---
2+
title: "Application Developers"
3+
bookCollapseSection: false
4+
weight: 300
5+
summary: "How Application Developers can use Kosli to build secure, compliant software delivery pipelines."
6+
---
7+
8+
# Application Developers
9+
10+
You build and maintain services, applications, or APIs that deliver customer or business value. You write code, push changes, and expect your work to move safely from commit to production.
11+
12+
You care about quality, security, and release velocity, but you do not want to be slowed down by compliance overhead.
13+
14+
15+
# How Kosli helps you
16+
17+
Kosli captures the evidence that your changes have passed the right controls, like tests, code reviews, security scans, and approvals, so you can deploy with confidence and stay focused on building.
18+
19+
With Kosli, you can:
20+
- Ship code without worrying about compliance gates or approval tickets
21+
- Get clarity on why something cannot deploy, and what needs to happen
22+
- Use existing CI workflows without learning new tools
23+
- Trace what changed, where it went, and whether it passed all required controls
24+
25+
## Your role in using Kosli
26+
27+
As an application developer, you are a contributor to the system of record that Kosli observes. You may:
28+
- Write code that passes through a Flow defined by your platform team
29+
- Produce build artifacts and test results that Kosli records as evidence
30+
- Trigger attestations through CI jobs (e.g., when tests run or scans complete)
31+
- Occasionally check compliance status in the UI or via pull request checks
32+
33+
You are usually not responsible for setting up Kosli. It runs quietly underneath your normal delivery workflows.
34+
35+
36+
## What you’ll Work with
37+
38+
You typically interact with Kosli through:
39+
- **Your CI/CD pipeline**, which calls Kosli CLI under the hood
40+
- **Pull requests or merge gates**, where Kosli may block or allow merges based on compliance
41+
- **The Kosli UI**, to check deployment or compliance status if needed
42+
- **Your platform team's guidance**, for understanding what evidence is expected
43+
44+
You do not need to memorize Kosli commands or manage configurations. Most of it is abstracted away by your Platform team
45+
46+
## What success looks like
47+
48+
- You write and commit code as usual, and your changes flow smoothly through CI and into production
49+
- You do not need to fill out compliance tickets or wait for manual approvals
50+
- If something is blocked, Kosli tells you what evidence is missing and how to resolve it
51+
- You gain confidence that your work is secure and production-ready without extra effort
52+
53+
54+
## Common questions you might have
55+
56+
**"Why did Kosli mark my build or deployment non-compliant?"**<br>
57+
Most likely a required check did not run, failed, or was not reported to Kosli. Your pipeline or platform team can help you identify what is missing.
58+
59+
**"Do I need to learn another CLI or tool?"**<br>
60+
No. Kosli is used behind the scenes by your platform team. You may see its results in PR checks or dashboards, but you do not need to run it manually.
61+
62+
**"How do I know if my change was successfully deployed?"**<br>
63+
You can use the Kosli UI to trace a git commit, artifact, or deployment. Kosli shows where it is running and what evidence was attached.
64+
65+
**"Can I use Kosli in debugging or incident response?"**<br>
66+
Yes. Kosli helps you trace what changed and when across environments. You can see exactly what was deployed and what passed or failed.
67+
68+
## Where to start
69+
- [**Getting Started**]({{< ref "/getting_started" >}}): Follow this if you're curious about how Kosli works behind the scenes
70+
- [**Querying Kosli**]({{< ref "/tutorials/querying_kosli/" >}}): Learn how to search for artifacts or changes
71+
- [**Concepts**]({{< ref "/understand_kosli/concepts" >}}): Understand what Kosli tracks and why
Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
---
2+
title: "Platform Engineers"
3+
bookCollapseSection: false
4+
weight: 200
5+
summary: "How Platform Engineers and DevOps teams can use Kosli to build secure, compliant software delivery pipelines."
6+
---
7+
8+
## Platform and DevOps Engineers
9+
10+
You build the internal tooling, workflows, and golden paths that help developers ship software reliably and securely. You care about scaling delivery without scaling your team.
11+
12+
If you’re supporting CI/CD pipelines, infrastructure, or compliance enablement across multiple services or teams, this page is for you.
13+
14+
## How Kosli helps you
15+
16+
Kosli gives you a single, unified way to track everything that moves through your delivery pipelines: code, artifacts, tests, approvals, deployments and prove it’s been done safely and correctly.
17+
18+
With Kosli, you can:
19+
- Automate compliance and eliminate manual change approval processes.
20+
- Capture tamper-proof evidence across your SDLC (without slowing down delivery).
21+
- Monitor all runtime environments and deployments across teams.
22+
- Offer developers secure paved paths that embed governance from the start.
23+
24+
25+
## Your role in using Kosli
26+
27+
As a platform engineer, you're typically responsible for:
28+
- Setting up Kosli in CI/CD and infrastructure environments.
29+
- Creating and maintaining **Flows**, which model how changes move through pipelines.
30+
- Defining and triggering **Trails** to capture each run of those pipelines.
31+
- Configuring **Attestations** for tests, scans, and internal checks (e.g., Jira, Snyk).
32+
- Capturing **Environment Snapshots** and enforcing **Policies** to govern deployments.
33+
- Building reusable Kosli integrations (e.g., GitHub Actions, GitLab CI templates) so your dev teams don’t have to think about it.
34+
35+
You’ll often be the first person to integrate Kosli into your platform and roll it out to the rest of the org.
36+
37+
## What you’ll work with
38+
39+
You’ll primarily interact with:
40+
- **Kosli CLI:** integrated into your CI/CD pipelines and scripts.
41+
- **Flows** and **Trails:** to represent and track software delivery runs.
42+
- **Artifacts** and **Attestations:** to connect builds and compliance evidence.
43+
- **Environment Snapshots** & **Policies:** to enforce governance in prod and staging.
44+
- **Kosli UI:** to review deployment status, compliance views, and audits.
45+
46+
If you're running Kubernetes, Terraform, or other infrastructure tools, Kosli also integrates easily to monitor state and changes.
47+
48+
## What success looks like
49+
50+
When Kosli is successfully adopted by platform engineering, you’ll see:
51+
52+
- Your pipelines continuously produce verifiable, compliant deployments.
53+
- You eliminate the need for spreadsheet-driven approvals and CAB meetings.
54+
- Developers onboard Kosli passively via the platform, they rarely have to learn it directly.
55+
- Security and compliance teams get everything they need with minimal friction.
56+
- Audits are a non-event: you already have the evidence.
57+
58+
## Common questions you might have
59+
60+
**“Do I need to change our pipelines to use Kosli?”**<br>
61+
No major changes. Kosli integrates via CLI commands you can drop into any pipeline.
62+
63+
**“Can I templatize this across many teams?”**<br>
64+
Yes. Use flow templates and reusable CI snippets to roll out a consistent setup.
65+
66+
**“Does Kosli work with our existing tools?”**<br>
67+
Almost certainly. Kosli is tool-agnostic and supports GitHub Actions, GitLab, Jenkins, Kubernetes, Terraform, and more.
68+
69+
**“How do I know it’s working?”**<br>
70+
Kosli automatically gives you compliance status per environment and per change. You can inspect Trails, download audit packages, and integrate with Slack or through Webhooks for alerts.
71+
72+
## Where to start
73+
74+
- [**Getting Started Guide**]({{< ref "/getting_started" >}}): For a complete technical setup walkthrough.
75+
- [**CLI Reference**]({{< ref "/client_reference" >}}): Full list of commands.
76+
- [**Concepts Overview**]({{< ref "/understand_kosli/concepts" >}}): Understand how Flows, Trails, and Attestations fit together.
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
---
2+
title: "Security and Compliance"
3+
bookCollapseSection: false
4+
weight: 400
5+
summary: "How Security and Compliance teams can use Kosli to define control objectives and verify evidence."
6+
---
7+
8+
# Security and Compliance
9+
10+
You are responsible for ensuring that software delivery meets regulatory, security, or internal governance requirements. You translate frameworks like SOC 2, ISO 27001, or custom internal controls into practical expectations for teams.
11+
12+
You may work in AppSec, GRC, risk management, or a compliance function. You care about provable controls, trustworthy evidence, and making audits repeatable and painless.
13+
14+
## How Kosli helps you
15+
16+
Kosli creates a continuous, tamper-proof record of how software changes move through your organization. It captures real evidence for controls like peer review, test coverage, security scanning, and approval steps, all without relying on spreadsheets or screenshots.
17+
18+
With Kosli, you can:
19+
- Automatically collect and store control evidence for every change
20+
- Get instant visibility into which changes are compliant and which are not
21+
- Replace change request tickets with actual audit-ready data
22+
- Export audit packages in seconds for any service, environment, or release
23+
24+
25+
## Your role in using Kosli
26+
27+
You help define what counts as compliant. Kosli helps you enforce that through policy and automation. Your responsibilities may include:
28+
29+
- Working with platform teams to translate controls into **Attestations** and **Policies**
30+
- Reviewing **Environment** or **Trail** compliance reports
31+
- Verifying that changes meet requirements for deployment to sensitive environments
32+
- Preparing for or responding to internal and external audits using Kosli data
33+
34+
You may not configure pipelines directly, but you rely on Kosli’s outputs to validate that controls are working.
35+
36+
## What you’ll work with
37+
38+
You interact with Kosli through:
39+
40+
- **The Kosli UI**, where you can see compliance status per environment, service, or release
41+
- **Audit Packages**, which you can export to support internal reviews or formal audits
42+
- **Attestation** and **Policy** definitions, often managed in collaboration with platform or security engineering teams
43+
- **Environment Snapshots**, which show what is running and why it is or is not compliant
44+
45+
You may also use the **CLI** or **API** if you need detailed reports or integrations.
46+
47+
## What success looks like
48+
49+
- You can prove to auditors or regulators that your SDLC is secure and compliant
50+
- Controls are codified and enforced consistently across all delivery pipelines
51+
- You no longer chase teams for screenshots or spreadsheets during audits
52+
- You have full traceability from change request to deployed artifact with supporting evidence
53+
54+
## Common questions you might have
55+
56+
**"How do I know a change is compliant?"**<br>
57+
Kosli validates Trails and Environments based on policies and recorded attestations. You can view compliant and non-compliant changes in the UI or export audit reports.
58+
59+
**"Can we map Kosli data to our compliance framework?"**<br>
60+
Yes. Attestations can represent any type of control evidence, such as test results, PR approvals, vulnerability scans, or change reviews.
61+
62+
**"How secure is the evidence?"**<br>
63+
Kosli stores all records immutably and securely. Attestations can include signed metadata and attachments, stored in a tamper-evident Evidence Vault.
64+
65+
**"How do I use Kosli in an audit?"**<br>
66+
You can export a complete Audit Package for any Trail, Artifact, or Environment. This includes all recorded evidence and metadata for traceable, reviewable compliance.
67+
68+
## Where to start
69+
70+
- [**Concepts**]({{< ref "/understand_kosli/concepts" >}}): Understand how Flows, Trails, and Attestations fit together.
Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
---
2+
title: "Sponsors"
3+
bookCollapseSection: false
4+
weight: 500
5+
summary: "How Sponsors can use Kosli to ensure secure, compliant software delivery across their organization."
6+
---
7+
8+
# Sponsors
9+
10+
You’re responsible for making sure your organization delivers software quickly, safely, and in a way that satisfies regulatory, customer, or internal compliance expectations.
11+
12+
You might lead an engineering org, oversee platform strategy, or be responsible for DevSecOps or governance transformation. You care about reducing lead time without sacrificing control or trust.
13+
14+
## How Kosli helps you
15+
16+
Kosli gives your teams the ability to automate governance across the entire software delivery lifecycle (SDLC). It makes it easy to verify that changes have passed the right checks and policies without slowing down releases.
17+
18+
With Kosli, you can:
19+
20+
- Replace manual approvals and change control boards with real-time, automated evidence
21+
- Give your platform and product teams compliant workflows by default
22+
- Get instant answers to “what changed, where, and why” across all environments
23+
- Demonstrate governance and audit readiness without adding burden to developers
24+
25+
## Your role in using Kosli
26+
As a sponsor, you are the enabler. You set the strategic direction and ensure the right people are equipped to succeed. Your key responsibilities include:
27+
28+
- Aligning Kosli adoption with organizational goals around speed, safety, and compliance
29+
- Supporting platform teams in rolling out Kosli at scale
30+
- Communicating the value of automated governance across the organization
31+
- Using Kosli dashboards or reports to track adoption, policy health, and delivery confidence
32+
33+
## What you’ll work with
34+
35+
You won’t typically use the CLI. Instead, your interaction with Kosli will focus on:
36+
37+
- The Kosli UI to view environment compliance, trail status, and audit readiness
38+
- Dashboards to understand where controls are working or missing
39+
- Audit Packages and Evidence Vault exports to support reporting or audits
40+
- Occasional reference to Kosli’s terminology or data model when aligning internal processes
41+
42+
## What success looks like
43+
44+
- You have visibility into delivery health and compliance posture across the org
45+
- Product and platform teams operate with fewer manual gates or surprises
46+
- You can demonstrate governance to stakeholders without relying on ad hoc processes
47+
- Audits are predictable and repeatable
48+
- Kosli becomes a quiet enabler. Developers deliver, compliance is provable, and your platform team scales without friction
49+
50+
## Common questions you might have
51+
52+
**“Can we remove manual approvals without increasing risk?”**<br>
53+
Yes. Kosli replaces them with clear, automated evidence. Every change has a traceable chain of custody.
54+
55+
**“Does this help us with [SOC 2 / ISO / internal controls]?”**<br>
56+
Yes. Kosli maps technical events to audit-friendly records, with downloadable audit packages and policy enforcement.
57+
58+
**“Will this add overhead for my teams?”**<br>
59+
No. Platform engineers handle setup and integration. Developers rarely need to interact with Kosli directly.
60+
61+
**“How can I measure success?”**<br>
62+
You’ll see reduced lead times, fewer compliance exceptions, and improved audit efficiency. Kosli makes this visible through environment compliance views and evidence tracking.
63+
64+
## Where to Start
65+
- [**What is Kosli?**]({{< ref "/understand_kosli/what_is_kosli/">}}): Understand the value and core ideas
66+
- [**Implementing Kosli**]({{< ref "/implementation_guide">}}): A rollout guide aligned to business and technical outcomes
67+
- [**Concepts**]({{< ref "/understand_kosli/concepts" >}}): Understand how Flows, Trails, and Attestations fit together.

0 commit comments

Comments
 (0)