Trust administrators need access to TIS data, but only to the data relating to their Trust - they should NOT have access to other TIS data
This is described in specific detail in Admin User Management and summarised below:
<draw into diagram>
The design includes some basic elements:
We will return to re-implementing authorisation once a new design has been established to provide appropriately secure roles and permissions.
We will create a new 'HEE Trust Admin' role in Keycloak, in parallel to the existing roles - Admin User Management
We will create a new table in the Profile service which will contain the relationship between the TIS Username and the Trust ID
(Simon suggested Trust Code as unique and known by users or retrieval from TIS easily - which whilst initially we script the additions would potentially make it easier. Think it should be TrustID for consistency - need to examine how we'll specify trust users for Phase 1)
Initially we will create the table and populate manually using scripts
Develop a Trust Admin page(s) within TIS Admin which: (Matt Leech (Unlicensed) to consider design here)
Develop a User creation page within TIS Admin:
In order that Trust Admin creation is a streamlined process, we might need to implement the User creation page within TIS Admin which pushes a new user and their Groups and Roles to Keycloak via the API whilst creating in parallel in the Profile service. (this removes the need for the Trust Admin to login a first time to populate the Profile service, before the TIS Admin can link them to a Trust which would make first time login an awkward 2 step process)
As a purely tactical solution ahead of re-designing a more secure implementation of Roles and Permissions, we will use the existing solution with the Profile service front end session code to write the Trust Admin role to the User cookie with the existing Roles and Permissions - no change should be required here.
Implement standard permission constraints in the Front End cfor 'HEE Trust Admin' to only People and Posts L1 menu items. This role should also NOT be able to see sensitive data.
Implement standard permission constraints in the Front End to limit 'HEE Trust Admin' role to not see the 4 Sensitive Data fields that are already hidden from standard HEE Admins
Trust ID can be established by navigating through a Person's Placements to its Post, to its Site, to its Trust. Because we expect this to be too slow to perform in real time, we're suggesting a PersonTrust table linking a PersonID to a TrustID - 1:many (1 Person can be in Many Trusts).
Use the PersonOwner table/solution as a model for this -
Note: each Person's can have multiple placements - each will generate a TrustID entry, so a person will have multiple Trusts
For all People endpoints - List and CRUD - when checking the logged in users authorisation against the profile service - if the user is a Trust Admin, retrieve their Trust ID (change to profile service and how its called?)
The People List endpoint would then apply an extra parameter on the select to further filter the returned People by joining to the PeopleTrust table on the TrustID
The people CRUD endpoints will validate that the person record being acted on is linked to the TrustID and accessible to the Trust Admin, if not return a permission error to the Front End
Initially we need to performance test retrieving a list of Posts with an extra TrustID element to the SQL query - navigating from each Post to its Site, then to its Trust
If this isn't performant enough in realtime we will need to explore denormalising the TrustID into the Posts table or a linked table
Similarly to People, we then need to obtain the Trust ID from the profile service during authorisation if the user is a Trust Admin
For the Post List we need to limit the results returned against any search or filter to those related to the Trust using the logic Post-Site-Trust
For the Post CRUD endpoints we need to deny the front end access to posts they don't have a link to.
Discussion