-
Notifications
You must be signed in to change notification settings - Fork 2
Requirements & Opportunities
As a digital product development team, I want to consume the authorization context (lists of groups, roles) for an authenticated IDIR or BCeID user directly from the JWT provided by the OIDC service.
- Roles should be scoped appropriately. I don't need all the roles for this user across the entire org, nor do I want role assignments for my product exposed to other products (and potentially reused/misused).
- By validating the JWT, I will know that these roles come from the OIDC service and have not been maliciously injected by a user or another actor.
As a FAM administrator, I want to be able to create a new application so that I can assign an application administrator and that person can use the authorization capabilities of FAM to secure their application.
As an application administrator, I want to be able to create, update, and delete roles and groups for the application. I want to be able to manage which roles belong to which groups. I want to record and maintain the purpose of each role and group so that I can make sure that they are used correctly.
- Variation: Create a role or group that can only be assigned in the context of a specific forest client.
- Variation: Create a group that can include roles or groups from multiple applications.
As an authorization grantor, I want to be able to assign an application role or application group to an end user so that the end user can make use of the application functionality afforded by assignment to the applied role or group.
- Variation: I want to grant a role or group assignment temporarily (define a start time and end time).
- Variation: If I do not know their system identifier within IDIR or BCeID, I may also want to look them up in that system by name.
- Variation: Grant a role or group assignment that is limited to the context of a specific forest client.
- Variation: Grant a group assignment that includes roles or groups for multiple applications.
As an authorization grantor, I want to be able to disable a role or group assignment so that I can remove access from a user temporarily without having to delete their authorization configuration and then set it up again later. I want to re-enable the role or group assignment at a later time to restore their access afforded by that role or group.
- Variation: I want to disable or enable a role or group assignment temporarily (define a start time and end time).
- Variation: I want to disable or enable a set of role or group assignments that meet a certain set of criteria.
- Variation: I want to disable a group assignment that includes roles or groups for multiple applications.
As a FAM administrator, I want to be able to disable all authorization for a user so that I can remove all privileges from a user temporarily without having to delete their authorization configuration and then set it up again later. I want to re-enable the user's authorizations at a later time to restore their access afforded by their existing role and group assignments.
- Variation: I want to disable or enable a user temporarily (define a start time and end time).
As a FAM administrator, I want to be able to add a user to FAM without having to ask them to log into something first. I want to be able to look them up by IDIR or BCeID identifier, confirm that they are not already in the system, and have them added to the system so that they can be assigned roles and groups by authorization grantors.
- Variation: If I do not know their system identifier within IDIR or BCeID, I may also want to look them up in that system by name or by username.
As a FAM administrator, I want to be able to delete a user from FAM.
As a FAM administrator, I want to be able to grant or revoke the ability for a logged-on user to create, update, or delete roles and groups for an application, so that I can ensure that each application has its own application administrator(s) who assume responsibility for maintaining the roles and groups. Individuals without this privilege for a particular application should not be able to use FAM to make changes to the roles or groups for the application.
As an application administrator, I want to be able to specify who can act as an authorization grantor to grant or revoke application roles and application groups to users, so that I can ensure that the application has its own authorization grantor(s) who assume responsibility for maintaining user assignment to application roles and application groups. Individuals without this privilege for a particular application should not be able to use FAM to add or remove users to roles or groups for the application.
- Variation: Specify authorization grantors that can act as an authorization grantor to grant or revoke specific application roles and application groups to users.
- Variation: Specify authorization grantors that can act as an authorization grantor to grant or revoke specific application roles and application groups to users, but only in the context of a specific forest client.
As a security analyst, I want to be able to review the history of authorization changes within FAM. I need to know the following information: the time of the change, the person who made the change, the organization for whom the change was made, the purpose for the change
As an access manager or operations specialist, I want to be able to search for a user in the system by ID, name, or email.
As an access manager or operations specialist, I want to be able to see a list of roles and groups that have been assigned to a specific user and understand what each of them is for.
- Variation: A user wants to see their own access profile.
- Variation: View privileges for a list of users
- Variation: I want to be able to export role and group assignments to excel so I can do data analysis.
As an access manager or operations specialist, I want to see a list of users that have a certain set of authorization roles or groups assigned so that I can understand the list of people that have certain privileges in an application.
- Variation: I want to be able to export role and group assignments to excel so I can do data analysis.
As a DevOps practitioner, I want to be able to automate certain authorization configuration tasks so that I can have them completed in a timely and reliable fashion based on certain triggers in my application or CI/CD pipeline.
- Environment Management
- Release Management
- Creating a Release
- Database Backups and Restores
- OIDC Client Testing
- FAM Onboarding Ops Guide
- Setup AWS CloudWatch
- Setup AWS EC2 instance to connect to RDS Postgres Database
- Technical Troubleshooting
- Managing Terraform State
- Enable Cloudwatch Logs for API Gateway
- Update AWS CloudFront Certificate
- Verify IDIM BCeID Client SOAP Web Service