Map out CIF authorization

[LindsayMacfarlane]

Describe the task

We need to clearly identify and document who can have access and to what within the CIF app (e.g., operators, consultants, etc).

Acceptance Criteria

• [x] Consolidate existing documents to map this out
• [x] Create an excel sheet with assumptions
• [ ] Have an internal conversation about how we want to approach security/authorization
• [ ] Send out meeting invite for session
• [ ] Validate with CIF Ops team
• [ ] Validate with CIF Tech team

Additional context

• February 2, 2022: DL highlights that to do authorization and authentication correctly, it will take time.

[pbastia]

Decision needs to be made about authentication/authorization via BCeID: do we enforce Business bceid? Do we allow basic? Do we give people access to all applications within their organisation?

[dleard]

Does CIF auth need its own epic so we can scope things down into smaller tickets?

[pbastia]

Probably, we'll have multiple tickets related to external users permissions

[suhafa]

@dleard @pbastia the AC for this ticket is more research based, would either of you want to change it so it reflects some first steps for authorization from dev-end of things?

[suhafa]

It would be a better approach to create a user story map first, and then identify user roles/access accordingly. Blocking this ticket and added a ticket (#1540) to do the user story mapping work first.

[pbastia]

AC for this card need to be a bit more refined

[nanyangpro]

Low priority for now in terms of the implementation according to @suhafa during backlog refinement Apr 25.

This is solely a research ticket, @pbastia suggested identifying the workflows for external users to login, (maybe BCeID user management as well?).

Output of this ticket should be added before removing the Backlog Refinement tag.