Definition
Permissions provide the ability to evaluate, record, and access information identifying the right of an individual or entity to use, access, or do something, be something, or have something.
A permissions capability embraces more than technology, and includes people, processes, and enablers such a business design, service models, and governance.
Note that some permissions may lead to an entitlement being provided. The scope and granting of entitlements are covered in the entitlements capability in the Australian Government Architecture.
Purpose
Permission management, whether as a distinct system or as a functional component of a broader system, is essential for the evaluation, recording and accessing the rights of an individual or organisation.
A mature permission capability will enable permissions only to those who are entitled to them and enable those granting the permissions to do so in a secure and efficient manner.
Suitable handling of permissions is realised through:
- evaluating, accessing information, and capturing the right of an individual or entity to use, access, or do something, be something, or have something
- allowing or restricting permission, internally and externally, in a controlled manner and on a needs-basis
- functioning as part of a suite of capabilities within the Cyber Security domain, integrating with other systems to or within which permissions are being granted.
Objective
The objectives of this Australian Government Architecture (AGA) content are to:
- identify, consolidate, and standardise permissions approaches, especially those with complementary systems functionality, to increase efficiency and reduce the complexity of government service delivery
- enhance customer experience for individuals and business when they engage with entities
- establish and implement consistent standards or designs where entity solutions require permissions
- ensure that new application solutions draw security efficiency from preceding investments, implementations, and learnings to maximise re-use and minimise risk.
Whole of Government Applicability
Permissions have broad applicability in delivering services such as payments, grants, visas, and permits where there is a need to ensure:
- consistent, effective, and efficient processing, workflow, approvals, and decision functionality for entities responsible for issuing permissions.
- a customer-centric focus, ensuring simple and appropriate, yet robust management of permissions that suits the unique context of the system and its data and security needs
- use of proven permissions designs, development approaches, and lessons learned, including approaches that assist APS skills development, remove design development complexity, and directly leverage available expertise.
The Data and Digital Government Strategy and Implementation Plan impose obligations on the APS for the provisioning of permissions through:
- Delivering for all people and business: To embed inclusion and accessibility
- Simple and seamless services: To be digital by design
- Trusted and secure: To build and maintain trust.
Policy Elements
-
Confirm permissions applicability
Not all proposed solutions may be permissions related. The permissions standard has identified a set of criteria questions to assist entities in determining applicability of permissions guidance.
-
Comply with legislation and regulation
An entity must comply with any legislation relevant to its circumstances.
-
Identify permissions related roles
Permission business processes can be depicted through relevant use cases and the identification of key roles.
-
Identify permissions decision type
Permissions decisions are typically in response to either an immediate or known future need. Identifying the decision type assists in shaping design of business and technology systems underpinning operations.
-
Align operational and technological needs
Entities should analyse and assess their specific needs, and develop a comprehensive set of technology, business, service, and compliance requirements.
-
Apply a risk-based approach to permissions
The assessment and management of risks associated with the handling of permissions should inform design and investment decisions.
-
Lower development and maintenance complexity of permissions solutions
Adopt supplier guidance and industry best practice during the solution design and development phases of the solution implementation.
-
Ensure the ongoing viability of permissions solutions
Entities should ensure continual improvement of processes, and features, data, security, technology, skills, and cost should remain a focus to maximise functionality, reduce risk, and minimise accumulation of technical debt.
-
Adhere to reuse principles
Entities should give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.