Admin User Management (roles and permissions)

Page Contents:

Description
Scope
User Journey
Related JIRA ticket links
For Discussion & Assumptions
Agreed Next Steps
Admin User Management - User Profile Creation
Admin User Management - Roles & Permissions
Admin User Management - Field Validation (PLACEHOLDER)
Admin User Management - User & Permissions Management Scenarios
Admin User - Password Management Scenarios DRAFT (WIP)
Admin User Management - Password Management Policy
Admin User Management - Exploring the User Management solution design | Keycloak and TIS Profile service for Managing Users
Admin User Management - Feedback

Description

Admin User Management encompasses creating accounts on TIS for new admins, roles management, admin authentication (login), password self management (password recovery) and leavers. It will include any advances in admin security such as two factor authentication.

Component: TIS-709

Linked to Admin UI

Scope

profile creation
manage users << as specified for Admin UI
user password reset << as specified for Admin UI

MVP

There are 9 roles available in TIS

HEE Trust Admin
- can view/edit trainees associated with their Trust in either a training or employment capacity
HEE Admin
- can view/create/edit/delete all components except Revalidation, Sensitive Data (within People) and Reference data
HEE Admin Sensitive
- can view/create/edit/delete all components except Revalidation and Reference data
HEE Admin Reval
- can view/create/edit/delete all components except Sensitive Data (within People) and Reference data
HEE TIS Admin
- can view/create/edit/delete everything
HEE Trust Observer
- can view trainees associated with their Trust in either a training or employment capacity
HEE Programme Observer
- can view trainees associated with their Programme
HEE Programme Admin
- can view/create/edit trainees associated with their Programme
HEE User Admin
- can view/create/edit/delete TIS users via the UM pages

Roles consist of the following:

(i) HEE Trust Admin

can view/edit People limited to Trainees and Trainers 'related' to their Trust - (Trainee → Placement - Post - Employing Body and/or Training body)
can view/edit the People L3 tabs containing Personal Details, Placements and Programme Memberships, Sensitive Data (the 4 actual Sensitive Data fields are hidden)
cannot view/edit the People L3 tabs containing Qualifications or Assessments
can view only / not edit Posts, limited to posts 'related' to their Trust (Post → Employing Body and/or Training body)
can view only / not edit all Programmes.
For clarity, HEE Trust Admins will NOT have access to the TIS Admin section, Revalidation & Concerns
For clarity, as the Trainee/trainer 'related' to their Trust includes 'All' Placements, historical, current and future. The HEE Trust Admin will therefore see Trainees across a range of Local Offices.

Users with this role would have specified permissions as above

(ii) HEE Admin

can view/create/edit/delete the following components (People, Posts, Programmes, Placements, Assessments)
can view/delete Form Rs
cannot view/create/edit/delete Sensitive Data fields in the Sensitive Data L3 (in People)
cannot view/create/edit/delete Admin L1
cannot view/create/edit/delete Concerns, Revalidation and Manage Connections

(iii) HEE Admin Sensitive

can view/create/edit/delete the following components (People, Posts, Programmes, Placements, Assessments)
can view/create/edit/delete Sensitive Data L3 (in person data fields in the Sensitive Data L3)
can view/delete Form Rs
cannot view/create/edit/delete Admin L1
cannot view/create/edit/delete Concerns, manage connections and Revalidation

(iv) HEE Admin Reval

can view/create/edit/delete all components (People, Posts, Programmes, Placements, Assessments)
can view/delete Form Rs
cannot view/create/edit/delete Sensitive Data fields in the Sensitive Data L3 (in person data)
cannot view/create/edit/delete Admin L1
can view/create/edit/delete Concerns, manage connections and Revalidation

(v) HEE TIS Admin

can view/create/edit/delete everything

Users with this role would have permissions of HEE Admin + HEE Revalidation + HEE Admin Sensitive + Reference Data

(vi) HEE Trust Observer

can view People 'related' to their Trust - (Trainee → Placement - Post - Employing Body and/or Training body)
can view the People L3 tabs containing Personal Details, Placements and Programme Memberships, Sensitive Data (the 4 actual Sensitive Data fields are hidden)
cannot view/edit the People L3 tabs containing Qualifications or Assessments
can view Posts, limited to posts 'related' to their Trust (Post → Employing Body and/or Training body)
can view only (not edit) all Programmes.
For clarity, HEE Trust Users will NOT have access to the TIS Admin section (Reference data), Revalidation, Manage Connections & Concerns
For clarity, as the Trainee/trainer 'related' to their Trust includes 'All' Placements, historical, current and future. The HEE Trust User will therefore see Trainees across a range of Local Offices.

(vii) HEE Programme Observer

can view People 'related' to their Programme - (Trainee → Programme Membership - Programme)
can view the People L3 tabs containing Personal Details, Placements, Programme Memberships, Assessments and Sensitive Data (the 4 actual Sensitive Data fields are hidden)
cannot view/edit the People L3 tabs containing Qualifications
can view Posts, limited to posts 'related' to their Programme (Post → Programme)
can view only (not edit) all Programmes.
can view only (not edit) all Assessments related to their Programme
For clarity, HEE Programme Users will NOT have access to the TIS Admin section (Reference data), Revalidation, Manage Connections & Concerns
For clarity, the HEE Programme User will see the historical and current programmes of the trainee but will only see the Current trainees in their Programme.
Cannot access Placement Planning Tool

(viii) HEE Programme Admin -

TISNEW-2791 - Getting issue details... STATUS

can view/create/edit People 'related' to their Programme - (Trainee → Programme Membership - Programme)
can view/create/edit the People L3 tabs containing Personal Details, Placements, Programme Memberships, Assessments and Sensitive Data (the 4 actual Sensitive Data fields are hidden)
cannot view/edit the People L3 tabs containing Qualifications
Can view/edit/create placements, Personal Details and Programme Memberships, via the People L3 tabs for the People they have access to
can only view Posts, limited to posts 'related' to their Programme/s (Post → Programme) - TIS21-77 - Getting issue details... STATUS - (no edit/create) - This needs correcting on Prod, fine on stage.
can only view (not edit) all Programmes.

Can only view assessments in a trainee programme related to their programme - so see the trainee and only those assessments linked to the programme or programmes the user is responsible for - This needs correcting on Prod, fine on stage.
For clarity, HEE Programme Users will NOT have access to the TIS Admin section (Reference data), Revalidation, Manage Connections & Concerns
For clarity, the HEE Programme User will see the historical and current programmes of the trainee but will only see the Current trainees in their Programme.
Can access Placement Planning Tool based for the programme they have been setup with in UM and view/create/edit placements for that programme
Does NOT have access to the TIS Admin section, Revalidation & Concerns

(ix) HEE User Admin (this is a stand alone role as some service desk users only need to be able to administer users while not being able to access the TIS app)

can view/create/edit/delete TIS users
will need ProfileAdmin role to have access to users' profiles.

SERVICE DESK

Users will only be given access to the role/s the TIS Account Management form states they need. If no role is provided the user cannot be created.

Post-MVP Roles

TBC e.g. Trainee etc

_______________________

Reporting Considerations

Permissions

- TIS permissions should feed Tableau & Data Mart permissions, but this has not been built yet

- For MVP, permissions will be applied manually

JIRA Link

https://hee-tis.atlassian.net/secure/RapidBoard.jspa?rapidView=13&projectKey=TIS&view=planning&selectedIssue=TIS-709&quickFilter=64&selectedVersion=11700

Discussion & Assumptions

		Comment	Owner
1	Access point only available to Admins with UM edit permissions How is this permission assigned, presumably by Dev, but is this sustainable? Possible to add a ”Super Admin”? Who should have this permission?	Access TIS UM FE needs to be agreed who should own the process ongoing, role "TIS Admin"?	Joanne Watson (Unlicensed) Alistair Pringle (Unlicensed)
2	Additional Nav Menu item v hidden / separated?	N/A	Joanne Watson (Unlicensed) Alistair Pringle (Unlicensed)
3	Should trainee really only have access to their person record (which contains reference to other items)?	Yes	Joanne Watson (Unlicensed) Alistair Pringle (Unlicensed)
4	Should trainee be managed in the same way as internal users?	TBC - not MVP	Joanne Watson (Unlicensed) Alistair Pringle (Unlicensed)
5	Should permissions be automatically assigned on creation of a person?	No, role should be added for permissions to be granted	Simon Meredith (Unlicensed)
6	Can and how should users make requests on an individual basis? Can users see components they do not have access to, if yes, can we place access request point there? Non-trainee only, as trainees can only see a standard set of data	Requests should be made via regions and and escalated on to relevant service desk (South and Mids and East manage users themselves. LaSE and North use the LaSE service desk) Users only have access to the areas their roles and attached permissions allow	Joanne Watson (Unlicensed) Alistair Pringle (Unlicensed)
7	Does last edited date need to be known? Can changes be reported on? Does last accessed date need to be known by component ad/or user?	Forms part of Audit work	Joanne Watson (Unlicensed) Alistair Pringle (Unlicensed) Simon Meredith (Unlicensed)
8	Does creation of a person record automatically create a login profile on TIS? If not, what should be the trigger? (IO) Assumption is that it does not...	Not MVP - only impacts trainees