RAMS - Whole of government Relationship Authorisation Management Solution

The Digital Transformation Office that is currently operating out of the Department of the Prime Minister and Cabinet has prepared a request for information (RFI) and released it for responses. The overview document can be found here.  15 47 - Part 2 - SOR Attachment A - High Level Design.  The full set of specifications can be obtained from the Australian Government Tender System.

Welcomer is preparing a response to this RFI.

From the document

INTENT

Implement a whole-of-government authorisation model linked to myGov and the ABR by June 2016, allowing users to nominate others to act on their behalf when interacting across government services (e.g. power of attorney, ‘universal’ delegations, roles).

DESCRIPTION

This recommendation is for the creation of a whole-of-government Relationship and uthorisation Manager (RAM) solution. Agency on-boarding to this solution will be a subsequent phase. The proposed solution builds upon existing VANguard & myGov authentication systems by allowing access control to be based upon relationships between identities and recording related delegation of functional access. The solution will record relationships specific to access management (regardless of entity type). Agencies will continue to manage the relationships intrinsic to their domain, thus requiring the RAM solution to query those agencies via attribute queries.

CONTEXT

  • Identity solutions for Business & Individuals is currently disjoint, making it difficult to provide a seamless experience.
  • Agencies have siloed authorisations solutions with legislative & policy barriers to sharing.
  • Some agencies assume AUSkey holder has permissions for all agency functions.
  • Some transaction require parties to impersonate others.
  • Some organisations don’t trust their own management of their AUSKey credentials
  • Power of Attorney has “legacy” complexities that are not present with nominations from one customer to another

CONSTRAINTS

  • A separate interim solution will be provided by Sept 2015 for “individuals in business” to connect ABN to MyGov. This solution will provide the long term solution.
  • Need WofG Authorisation solution by June 2016.
  • Privacy of individuals & confidentiality of businesses must be preserved.

ADDITIONAL DESIGN CONSIDERATIONS

  • Need to recognise industry players (Facebook, Google) are evolving standards based solutions, e.g. OIDC.
  • Consider privacy principles around consent and sharing Need to consider external systems, processes and environments
  • Need to ensure operates in wholesale and retail contexts
  • Authentication & Authorisation capability should be consistent across channels
  • Authorisation process needs to be simple and information kept current
  • Will record relationships & authorisations between any entity type (Individual, Organisation, Device).
  • Will leverage existing stores for attribute based queries (where possible)
  • Ensure credentials are not automatically elevated
  • Need to separate identity level & credential level.
  • Trusted 3rd parties may create relationships
  • Subject of relationship may not have a credential

KEY STAKEHOLDERS

  • Department of Human Services
  • Australian Taxation Office
  • Department of Industry
  • and rest of govt. who needs it!!
  • Lead Agency –ATO