🏗️ Finalise QuickSight Identity Approach and Architecture

[julialawrence]

User Story

If we want to deploy QuickSight we need to develop a full architectural diagram of the system as well as the identity approach and implementation.

Useful Contacts

AP Team, Rich B, Julia Lawrence

User Types

AP Operators

Hypothesis

The creation and recording of our identity decisions and architectural diagrams will remove uncertainty about the deliverable and allow smooth delivery of MVP scope

Proposal

Two hour-long meetings, first focussing on identity the second on broader architecture, answering questions and recording answers including:

Questions that need answering/recording

Recording:

• QuickSight to be built out in Analytical Platform Compute Accounts
• Authentication with AP UI + QuickSight will require a justice identity
• Data stays where it is

Deciding:

• Which identity option to select when creating the QS deployment that allows:
  • Using AAD directly or via Auth0 or Identity Center
  • Anonymous publishing/embedding
  • Joining of non-justice readers
  • Anonymous sharing

Additional Information

We need an architectural diagram and user identity interactions mapped out

Definition of Done

• Meeting 1 scheduled and held
• Meeting 2 scheduled and held
• Identity approach agreed and documented
• Architectural design agreed and documented
• Follow-on stories raised
• MVP scope adjusted if needed.

[BrianEllwood]

invite for meeting 1 sent for 13:30 - 14:30 25/3/24. first available date for main participants

[BrianEllwood]

New date as proposed by Julia sent out

[julialawrence]

Meeting held. Output diagram for Identity and MVP scope here:
https://mojdt.slack.com/archives/C04M8224WCV/p1710946598293109?thread_ts=1710944355.478139&cid=C04M8224WCV

[julialawrence]

Key outcomes from identity meeting:

1. Rather than enabling a hybrid authentication approach, after a period of collecting users' justice identity information, and mapping it against their access levels, Control Panel will switch over to EntraID-based authentication.
2. Once the switchover is complete, their justice rather than their github federated identity will be used for access to QuickSight and other AWS services.
3. EntraID will be used directly for authentication with Control Panel, AP UI and QuickSight rather than proxied via Auth0
4. QuickSight will be enabled with Federated, IAM and internal user identity option for access management to allow accomodation of more potential user joureys.

[michaeljcollinsuk]

@julialawrence re: moving to use EntraID for authentication to the Control Panel (removing auth0) - currently we have some Auth0 rules defined that apply each time someone tries to log in. For control panel access, I think the important one is the check that they are in the moj-analytical-services github org group. If we move to using Entra ID, will we want to keep this restriction in place, or not? If we do, we will need to figure out a new way to check this.

[julialawrence]

@julialawrence re: moving to use EntraID for authentication to the Control Panel (removing auth0) - currently we have some Auth0 rules defined that apply each time someone tries to log in. For control panel access, I think the important one is the check that they are in the moj-analytical-services github org group. If we move to using Entra ID, will we want to keep this restriction in place, or not? If we do, we will need to figure out a new way to check this.

We'd want to maintain this if there's only some people with justice identity shouldn't be allowed to join AP. We can replicate this with checking if users are in a specific group. If we don't perform this check with GH, anyone with GH account can join which is not good I assume. I assume this isn't an issue with justice identity.

[julialawrence]

Architecture:
https://mojdt.slack.com/archives/C04M8224WCV/p1711379094189899?thread_ts=1711377006.481469&cid=C04M8224WCV

[julialawrence]

#3878
#3879
#3880
#3881