Versions Compared

Version Old Version 5 New Version Current
Changes made by

Reuben Noot (Deactivated)

Reuben Noot (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is described in specific detail in Admin User Management and summarised (roles and permissions) and repeated below:

...

  • can view/edit People limited to Trainees and Trainers 'related' to their Trust - (Trainee → All Placements → Sites → Trusts)
  • can view/edit the People L3 tabs containing Personal Details, Placements and Programme Memberships, Sensitive Data (the 4 actual Sensitive Data fields are hidden)
  • cannot view/edit the People L3 tabs containing Qualifications or Assessments
  • can view only / not edit Posts, limited to posts 'related' to their Trust (Post → Site → Trust)
  • can view only / not edit all Programmes.
  • For clarity, HEE Trust Admins will NOT have access to the TIS Admin section

...

  • , Revalidation & Concerns

Solution Design

...

  • For clarity, as the Trainee 'related' to their Trust includes 'All' Placements, historical and future, the HEE Trust Admin will see Trainees across a range of Local Offices.

Solution Design

The design includes some basic elements:

  1. Allocating all Trust administrators to a new role in Keycloak - one role for all Trust admins
  2. Linking a Trust Admin to their Trust - initially only one TrustImplementing authorisation following the existing (flawed) model as a tactical solution
  3. Limiting access to TIS at the top menu level - Trust Admins will only have visibility and access to People, Post and Post Programmes L1 menu items (not Programmes, Assessments, Admin)
  4. Limiting access to Sensitive data fields within the Sensitive data L2 menu in People - Trust Admins won't see the four sensitive data fields in People records
  5. Limiting access to TIS data within People and Post - the List and CRUD for both People and Posts will only show People/Posts relating to the Trust(s) of the Trust Admin
  6. Read Only access to Programmes and Posts, Read/Write access to all data visible in all People L2 tabs


We will return to re-implementing authorisation once a new design has been established to provide appropriately secure roles and permissions.

...

We will create a new 'HEE Trust Admin' role in Keycloak, in parallel to the existing roles - Admin User Management (roles and permissions)

Linking a Trust admin to their Trust

...