Australian Government Architecture
Search

Type

Capability

Reference

.

Mandate

Endorsed

Permissions

Definition

Permissions provide the ability to evaluate, record, and access information identifying the right of an individual or entity to use, access, or do something, be something, or have something.

A permissions capability embraces more than technology, and includes people, processes, and enablers such a business design, service models, and governance.

Note that some permissions may lead to an entitlement being provided. The scope and granting of entitlements are covered in the entitlements capability in the Australian Government Architecture.

Purpose

Permission management, whether as a distinct system or as a functional component of a broader system, is essential for the evaluation, recording and accessing the rights of an individual or organisation. 

A mature permission capability will enable permissions only to those who are entitled to them and enable those granting the permissions to do so in a secure and efficient manner.

Suitable handling of permissions is realised through:

  • evaluating, accessing information, and capturing the right of an individual or entity to use, access, or do something, be something, or have something
  • allowing or restricting permission, internally and externally, in a controlled manner and on a needs-basis
  • functioning as part of a suite of capabilities within the Cyber Security domain, integrating with other systems to or within which permissions are being granted.

Objective

The objectives of this Australian Government Architecture (AGA) content are to:

  • identify, consolidate, and standardise permissions approaches, especially those with complementary systems functionality, to increase efficiency and reduce the complexity of government service delivery
  • enhance customer experience for individuals and business when they engage with entities
  • establish and implement consistent standards or designs where entity solutions require permissions
  • ensure that new application solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk.

Whole of Government Applicability

Permissions have broad applicability in delivering services such as payments, grants, visas, and permits where there is a need to ensure:

  • consistent, effective, and efficient processing, workflow, approvals, and decision functionality for entities responsible for issuing permissions. 
  • a customer-centric focus, ensuring simple and appropriate, yet robust management of permissions that suits the unique context of the system and its data and security needs
  • use of proven permissions designs, development approaches, and lessons learned, including approaches that assist APS skills development, remove design development complexity, and directly leverage available expertise.

The Data and Digital Government Strategy and Implementation Plan impose obligations on the APS for the provisioning of permissions through:

  • Delivering for all people and business: To embed inclusion and accessibility
  • Simple and seamless services: To be digital by design
  • Trusted and secure: To build and maintain trust.

Policy Elements

Policy:
POL40
Permissions Policy Mandate:
Endorsed
Status:
Core

  • Confirm permissions applicability

    Not all proposed solutions may be permissions related. The permissions standard has identified a set of criteria questions to assist entities in determining applicability of permissions guidance.

  • Comply with legislation and regulation

    An entity must comply with any legislation relevant to its circumstances.

  • Identify permissions related roles

    Permission business processes can be depicted through relevant use cases and the identification of key roles.

  • Identify permissions decision type

    Permissions decisions are typically in response to either an immediate or known future need. Identifying the decision type assists in shaping design of business and technology systems underpinning operations.

  • Align operational and technological needs

    Entities should analyse and assess their specific needs, and develop a comprehensive set of technology, business, service, and compliance requirements.

  • Apply a risk-based approach to permissions

    The assessment and management of risks associated with the handling of permissions should inform design and investment decisions.

  • Lower development and maintenance complexity of permissions solutions

    Adopt supplier guidance and industry best practice during the solution design and development phases of the solution implementation.

  • Ensure the ongoing viability of permissions solutions

    Entities should ensure continual improvement of processes, and features, data, security, technology, skills, and cost should remain a focus to maximise functionality, reduce risk, and minimise accumulation of technical debt.

  • Adhere to reuse principles

    Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.

Domains

This capability is part of the following domain.
DOM3

Government Service Delivery

Policies

The following policies have requirements that impact this capability.
Protective Security Policy Framework (PSPF)
POL19
Mandate: Endorsed
Status: Core
The PSPF sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing…
Permissions Policy
POL40
Mandate: Endorsed
Status: Core

Standards

The following standards support development of digital solutions in this capability.

Permissions Standard

STA53
Permissions systems facilitate efficiency, consistency, and a seamless workflow across entities responsible for permissions issuance. Unique business needs and governing requirements will dictate solution selection, design, and implementation. The considerations outlined in the Standard below are…

Designs

The following designs include examples of how digital solutions in this capability can be delivered.

Australian Taxation Office voice authentication solution

DES81

Lead Agency: Australian Taxation Office

Technology Type: Nuance

The Australian Taxation Office (ATO) has implemented a user-centric voice biometric solution that confirms a person’s identity by matching their voice characteristics to a stored voiceprint. People can be authenticated using their voice across multiple channels, including the ATO app and over the…

Integrated Regulatory Information System (IRIS)

DES155

Lead Agency: Comcare

Technology Type: Microsoft Dynamics 365

Integrated Regulatory Information System (IRIS) is the primary application used by Comcare’s Regulatory Operations Group for various regulatory licensing, monitoring, compliance, and investigation tasks. It is a central, organised, easy-to access place to store data about notifications (work health…

Contractor Reporting, Integrity Information System (CRIIS)

DES160

Lead Agency: AusTender

The Contractor Reporting, Integrity Information Solution (CRIIS) will enhance transparency in Government contingent workforce processes and support the engagement of temporary workers.

Strategic Alignment

Digital solutions in this capability can support the following strategies.

2023-2030 Australian Cyber Security Strategy

Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.