Caseflow: Authorization, Role, & Permission System Refactor
Background/context
Over the lifetime of Caseflow we have integrated several permission systems and created a few more to solve various problems as they've arisen.
We now integrate with VBMS, DAS, and VACOLS user systems. We share authorization with the Efolder application. We have Caseflow users who have Roles, Organization membership, Organization Admins, JudgeTeam membership (Judge, Attorney, or Admin) System Administration and Global Administration/Impersonation. [What things has kat forgotten? Are some of these not implicated?]. Some memberships are maintained in developer-maintained version controlled files, others are maintained by the users themselves within the app. Some are written into the logic of other objects.
Goals
The overall goal of this epic is to capture the realities of our authorization system into the app, replacing the more piecemeal systems we have outgrown.
- Discover our user needs around authorization, roles, & permissions
- Document the behavior in our existing specs as a baseline
- Research what existing Rails (or other?) technology exists we can take advantage of
- Implement the chosen technology to create a holistic system within caseflow
- where we cannot replace external systems, they should be nicely encapsulated
- Ensure the process and final results are well documented
Success criteria
- We have a holistic authorization system
- Users are minimally impacted
- Developers understand how to use the new system
Stakeholders
- Caseflow Users
- Caseflow engineers
Requirements/stories
Open questions
- What are all of our business needs for authorization?
References/Resources
This need came up concurrently from multiple sprint teams. See the research & discussions in the Special Case Movement tech spec #12175, and this slack discussion.
lomky
All 4 comments
I think this is a good start!
Discover our user needs around authorization, roles, & permissions
This feels like a very large task. Do you think we can come up with a refactor spec by simply inferring from our current use of these systems? I'm assuming our current implementation meets basic user needs.
lomaxap
on 28 Oct 2019
I interpreted
Discover our user needs around authorization, roles, & permissions
as "document the behavior in our existing specs as a baseline" under the assumption that some minimal authz rules were applied during development.
pkarman
on 29 Oct 2019
Just because I was curious, breakdown of # of user by role and organization:
| org_name | User | Mail Intake | VSR | Admin Intake | System Admin | Certify Appeal | RVSR | Establish Claim | Download eFolder | RO ViewHearSched | Case Details | VSO | Edit HearSched | Build HearSched | Hearing Prep | Reader | Manage Claims Establishme | Manage Claim Establishment | DRO |
| ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- |
| BusinessLine | 1024 | 1139 | 294 | 177 | 11 | 50 | 5 | 18 | 19 | 18 | 5 | 5 | 1 | 2 | 3 | 31 | 7 | 7 | 14 |
| Vso | | | | | | | | | 79 | | | 914 | | | | | | | |
| FieldVso | | | | | | | | | 17 | | | 328 | | | | | | | |
| PrivateBar | | | | | | | | | 60 | | | 132 | | | | | | | |
| Colocated | 21 | 9 | | 1 | | | | | 5 | | | | 1 | | | 21 | 1 | 1 | |
| JudgeTeam | 960 | 52 | | 4 | | | 1 | | 56 | | | | | | 153 | 1115 | | | |
| BvaDispatch | 8 | 3 | | | | | | | 1 | | | | | | | 8 | 3 | 3 | |
| Bva | 8 | | | | 4 | | | | 1 | | | | | | 1 | 4 | | | |
| SpecialCaseMovementTeam | 14 | 2 | | 3 | | | | | 2 | | | | 5 | 3 | 2 | 16 | | | |
| QualityReview | 10 | | | 1 | | | | | 2 | | | | | | 6 | 16 | | | |
| PrivacyTeam | 7 | | | | | | | | 7 | | | | | | | 7 | | | |
| HearingsManagement | 38 | 16 | | 2 | 3 | | | | 3 | | | | 35 | 11 | | 35 | | | |
| Translation | 7 | 5 | | | 1 | | | | 2 | | | | | | | 5 | | | |
| AodTeam | 25 | 3 | | | | | | | 5 | | | | | | 1 | 26 | | | |
| MailTeam | 36 | 14 | | 1 | | | | | 5 | | | | 1 | | 1 | 36 | | | |
| LitigationSupport | 24 | 3 | | | | | | | 4 | | | | | | 1 | 24 | | | |
| PulacCerullo | 1 | | | | | | | | | | | | | | 1 | 2 | | | |
| TranscriptionTeam | 7 | | | 2 | 2 | | | | | | | | 6 | 5 | | 5 | | | |
| HearingAdmin | 7 | 1 | | 2 | 2 | | | | | | | | 6 | 5 | | 5 | | | |
| BvaIntake | 1 | 1 | | | | | | 1 | | | | | | | | 1 | | | |
lomaxap
on 6 Nov 2019
Interesting, relevant quirk of our authorization system: #8178
lomaxap
on 19 Nov 2019
Related issues
lomky
路
5Comments
gnakm
路
5Comments
hschallhorn
路
4Comments
nikitarockz
路
3Comments
leikkisa
路
4Comments
Most helpful comment
Just because I was curious, breakdown of # of user by role and organization:
| org_name | User | Mail Intake | VSR | Admin Intake | System Admin | Certify Appeal | RVSR | Establish Claim | Download eFolder | RO ViewHearSched | Case Details | VSO | Edit HearSched | Build HearSched | Hearing Prep | Reader | Manage Claims Establishme | Manage Claim Establishment | DRO |
| ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- | ---- |
| BusinessLine | 1024 | 1139 | 294 | 177 | 11 | 50 | 5 | 18 | 19 | 18 | 5 | 5 | 1 | 2 | 3 | 31 | 7 | 7 | 14 |
| Vso | | | | | | | | | 79 | | | 914 | | | | | | | |
| FieldVso | | | | | | | | | 17 | | | 328 | | | | | | | |
| PrivateBar | | | | | | | | | 60 | | | 132 | | | | | | | |
| Colocated | 21 | 9 | | 1 | | | | | 5 | | | | 1 | | | 21 | 1 | 1 | |
| JudgeTeam | 960 | 52 | | 4 | | | 1 | | 56 | | | | | | 153 | 1115 | | | |
| BvaDispatch | 8 | 3 | | | | | | | 1 | | | | | | | 8 | 3 | 3 | |
| Bva | 8 | | | | 4 | | | | 1 | | | | | | 1 | 4 | | | |
| SpecialCaseMovementTeam | 14 | 2 | | 3 | | | | | 2 | | | | 5 | 3 | 2 | 16 | | | |
| QualityReview | 10 | | | 1 | | | | | 2 | | | | | | 6 | 16 | | | |
| PrivacyTeam | 7 | | | | | | | | 7 | | | | | | | 7 | | | |
| HearingsManagement | 38 | 16 | | 2 | 3 | | | | 3 | | | | 35 | 11 | | 35 | | | |
| Translation | 7 | 5 | | | 1 | | | | 2 | | | | | | | 5 | | | |
| AodTeam | 25 | 3 | | | | | | | 5 | | | | | | 1 | 26 | | | |
| MailTeam | 36 | 14 | | 1 | | | | | 5 | | | | 1 | | 1 | 36 | | | |
| LitigationSupport | 24 | 3 | | | | | | | 4 | | | | | | 1 | 24 | | | |
| PulacCerullo | 1 | | | | | | | | | | | | | | 1 | 2 | | | |
| TranscriptionTeam | 7 | | | 2 | 2 | | | | | | | | 6 | 5 | | 5 | | | |
| HearingAdmin | 7 | 1 | | 2 | 2 | | | | | | | | 6 | 5 | | 5 | | | |
| BvaIntake | 1 | 1 | | | | | | 1 | | | | | | | | 1 | | | |