Early on, we looked at how appropriate bodies accessed DfE services.
We found out:
the AB portal and Check a teacher's record both use DfE Sign in
it was very confusing understanding how they were given access to both
appropriate bodies are not reliably represented in DFE sign in data, for example, there is not a unique identifier they share for us to know that each organisation is an appropriate body
Steve (old dev) used to work on Check a teacher's record and says they set up a manual way to send lists to DFE Sign in to know organisation types for authorisation, but this was time-consuming and took some time to work out
there seemed to be some sort of method where a list of ABs was sent to DFE sign in to try and get DfE Sign in to work better, perhaps letting them know exactly what organisations were allowed access to the service
there aren't particular painpoints with ABs accessing the current ECF1 service Check data for appropriate bodies
What was quite key is that we never got to the bottom of how users are added to the AB portal. We know they use DfE Sign in, but not if:
ABs use DfE sign in and can self-serve their onboarding to the AB portal, and can sort out their DfE Sign in access themselves (potentially dependent on the TRA teams sending over lists of ABs to the DFE Sign in team)
OR
ABs use DfE sign in and cannot self-serve, but need to ask TRA for each user to be added to the appropriate body to access the AB portal
Similarly, we didn't work out if appropriate bodies can add new users once they have 1 user onboarded for their organisation.
Because we were only planning to replace Check data for ABs at the time, we just decided for ABs we would not use DfE sign in for authorisation for MVP. We would just use it for authentication - and offer the option of email sign in links as well.
However, given we are now replacing the AB Portal as well, this might be worth reconsidering.
What?
Work out how as-is access to the AB portal works
Decide how we want to handle AB access to the new service to submit induction information
Consider follow up tickets to get this done, e.g. contacting the DFE Sign in team to get everything set up
Why?
Early on, we looked at how appropriate bodies accessed DfE services.
We found out:
What was quite key is that we never got to the bottom of how users are added to the AB portal. We know they use DfE Sign in, but not if: ABs use DfE sign in and can self-serve their onboarding to the AB portal, and can sort out their DfE Sign in access themselves (potentially dependent on the TRA teams sending over lists of ABs to the DFE Sign in team) OR ABs use DfE sign in and cannot self-serve, but need to ask TRA for each user to be added to the appropriate body to access the AB portal
Similarly, we didn't work out if appropriate bodies can add new users once they have 1 user onboarded for their organisation.
Because we were only planning to replace Check data for ABs at the time, we just decided for ABs we would not use DfE sign in for authorisation for MVP. We would just use it for authentication - and offer the option of email sign in links as well.
However, given we are now replacing the AB Portal as well, this might be worth reconsidering.
What?
Out of scope
Helpful links or other information
Design history we wrote
Similar tickets: https://github.com/orgs/DFE-Digital/projects/48/views/10?filterQuery=DfE+sign&pane=issue&itemId=72698443 https://github.com/orgs/DFE-Digital/projects/48/views/10?filterQuery=DfE+sign&pane=issue&itemId=71426566