This document is an attempt to draw attention to flaws in our management of roles and entitlements and suggest some ways in which we could do better. The intention is that it be used as a basis for discussion.

Roles documentation

A previous project reported on our use of roles and entitlements. The final project report is here:

Much of what was written there, particularly under "Management Recommendations", still applies.

Some documentation concerning roles and entitlements and their use in prometheus can be found here:

There is also a brief Roles FAQ:


Some fairly unstructured statistics/thoughts/suggestions about our management of roles...

  • We currently have 1275 roles. 510 of these are allocated.

  • We have 699 entitlements (plus 1275 role/rolename entitlements). 277 of the 699 are allocated.

  • Roles are an expression of school policy and should be more effectively managed.

  • There is a lack of management:
    • what does any given role mean?
    • what is its intended use?
    • what do the entitlements it confers allow a user to do, and how?
    • who "manages" it, in terms of keeping it up to date, allocating and removing it from people, and managing its lifespan?

  • There is an impression that a small number of roles are well-used and well-understood. Many others fall outside this category.

  • We need, at the very least, a one-off tidy-up
    • the account granting entitlements need to move
    • we should get rid of roles which aren't (and won't be) used.

  • Roles should be automatically assigned and removed, through the school database, as much as possible. There are currently 345 roles being allocated in this way. Could we expand this?

  • We could add more information to roles files, in comments, e.g. code exists to interpret documentation strings. We could add other things, e.g. 'rolemanager' - pinning roles on named people might focus minds.

  • How do we (collectively) decide which entitlements should persist through a user's grace period?

  • If each unit "should be responsible for the roles/entitlements provision for the services which they provide", there is no cross-unit collaboration on identifying sets of entitlements and creating appropriate roles as containers.

  • How useful would time-limited roles be? e.g. this role to be applied to these people between these dates.

  • Roles allocated through the database do not lead automatically to a corresponding rfe roles file. A prometheus conduit exists to create (and optionally) delete these but it must be run manually (because of limitations in dice-authorize meaning it can't be, e.g. be run by a machine identity). This should be investigated again.

  • Are there areas of authorisation which exist outwith roles/entitlements?

  • What tools/documentation do we require?

-- TobyBlake - 07 Feb 2017

Topic revision: r1 - 07 Feb 2017 - 11:33:13 - TobyBlake
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies