Skip to content

Requirements & Opportunities

Conrad Boyd Elliott Gustafson edited this page May 5, 2022 · 5 revisions

Security Requirements

Include Appropriate Authorization Context as part of Authentication

As a digital product development team, I want to consume the authorization context (lists of groups, roles) for an authenticated IDIR or BCeID user directly from the JWT provided by the OIDC service.

  • Roles should be scoped appropriately. I don't need all the roles for this user across the entire org, nor do I want role assignments for my product exposed to other products (and potentially reused/misused).
  • By validating the JWT, I will know that these roles come from the OIDC service and have not been maliciously injected by a user or another actor.

Access Management Requirements

Manage Applications

As a FAM administrator, I want to be able to create a new application so that I can assign an application administrator and that person can use the authorization capabilities of FAM to secure their application.

Manage application roles and groups

As an application administrator, I want to be able to create, update, and delete roles and groups for the application. I want to be able to manage which roles belong to which groups. I want to record and maintain the purpose of each role and group so that I can make sure that they are used correctly.

  • Variation: Create a role or group that can only be assigned in the context of a specific forest client.
  • Variation: Create a group that can include roles or groups from multiple applications.

Grant or remove a role or group assignment

As an authorization grantor, I want to be able to assign an application role or application group to an end user so that the end user can make use of the application functionality afforded by assignment to the applied role or group.

  • Variation: I want to grant a role or group assignment temporarily (define a start time and end time).
  • Variation: If I do not know their system identifier within IDIR or BCeID, I may also want to look them up in that system by name.
  • Variation: Grant a role or group assignment that is limited to the context of a specific forest client.
  • Variation: Grant a group assignment that includes roles or groups for multiple applications.

Disable or enable a role or group assignment

As an authorization grantor, I want to be able to disable a role or group assignment so that I can remove access from a user temporarily without having to delete their authorization configuration and then set it up again later. I want to re-enable the role or group assignment at a later time to restore their access afforded by that role or group.

  • Variation: I want to disable or enable a role or group assignment temporarily (define a start time and end time).
  • Variation: I want to disable or enable a set of role or group assignmentthat meet a certain set of criteria.
  • Variation: I want to disable a group assignment that includes roles or groups for multiple applications.

Disable or enable a user

As a FAM administrator, I want to be able to disable all authorization for a user so that I can remove all privileges from a user temporarily without having to delete their authorization configuration and then set it up again later. I want to re-enable the user's authorizations at a later time to restore their access afforded by their existing role and group assignments.

  • Variation: I want to disable or enable a user temporarily (define a start time and end time).

Add user

As a FAM administrator, I want to be able to add a user to FAM without having to ask them to log into something first. I want to be able to look them up by IDIR or BCeID identifier, confirm that they are not already in the system, and have them added to the system so that they can be assigned roles and groups by authorization grantors.

  • Variation: If I do not know their system identifier within IDIR or BCeID, I may also want to look them up in that system by name or by username.

Remove user

As a FAM administrator, I want to be able to delete a user from FAM.

Delegation of Authority Requirements

Manage the individuals that can define roles and groups for an application

As a FAM administrator, I want to be able to grant or revoke the ability for a logged-on user to create, update, or delete roles and groups for an application, so that I can ensure that each application has its own application administrator(s) who assume responsibility for maintaining the roles and groups. Individuals without this privilege for a particular application should not be able to use FAM to make changes to the roles or groups for the application.

Manage the authorization grantors that can grant the roles and groups for an application

As an application administrator, I want to be able to specify who can act as an authorization grantor to grant or revoke application roles and application groups to users, so that I can ensure that the application has its own authorization grantor(s) who assume responsibility for maintaining user assignment to application roles and application groups. Individuals without this privilege for a particular application should not be able to use FAM to add or remove users to roles or groups for the application.

  • Variation: Specify authorization grantors that can act as an authorization grantor to grant or revoke specific application roles and application groups to users.
  • Variation: Specify authorization grantors that can act as an authorization grantor to grant or revoke specific application roles and application groups to users, but only in the context of a specific forest client.

Auditability Requirements

Audit authorization changes

As a security analyst, I want to be able to review the history of authorization changes within FAM. I need to know the following information: the time of the change, the person who made the change, the organization for whom the change was made, the purpose for the change

  • Variation: I want to be able to export role and group assignments to excel so I can do data analysis.

Search Requirements

Search for a user

As an access manager or operations specialist, I want to be able to search for a user in the system by ID, name, or email.

View list of privileges for a user.

As an access manager or operations specialist, I want to be able to see a list of roles and groups that have been assigned to a specific user and understand what each of them is for.

  • Variation: A user wants to see their own access profile.

View list of users based on a list of criteria.

As an access manager or operations specialist, I want to see a list of users that have a certain set of authorization roles or groups assigned so that I can understand the list of people that have certain privileges in an application.

DevOps Requirements

Automate authorization configuration maintenance

As a DevOps practitioner, I want to be able to automate certain authorization configuration tasks so that I can have them completed in a timely and reliable fashion based on certain triggers in my application or CI/CD pipeline.

Clone this wiki locally