Roles & the Principle of Least Access

Jess Moxsky · March 2022

Hi all! I'm at the very basic stages of trying to put together some suggestions or solutions to help our school improve our data governance practices. The biggest hurdle in my opinion is our over-provisioning of managerial roles in our system. We have more Platform Managers than is recommended, and many, many staff members with role access for which they have never been officially trained. I won't lie, it keeps me up at night. Has anyone had any success paring down their managerial roles or readjusting roles to follow the principle of least access? I'd love to hear more about how other schools are reporting on, analyzing, maintaining, and provisioning roles in their K12 system!

Reshma Berryman · March 2022

We are definitely having issues with that as well at our school. I have held onto Platform Manager so far but Blackbaud is making it difficult. I have a user who would like to have access to some of the education reports they put in Sky reporting. I gave her access to the reports but it still does not work. Apparently she needs Platform manager as well to see it. It does not make any sense to me. Does any one have a workaround?

Jess Moxsky · March 2022

Reshma Berryman:
We are definitely having issues with that as well at our school. I have held onto Platform Manager so far but Blackbaud is making it difficult. I have a user who would like to have access to some of the education reports they put in Sky reporting. I gave her access to the reports but it still does not work. Apparently she needs Platform manager as well to see it. It does not make any sense to me. Does any one have a workaround?

You can always clone roles, but BB does not recommend cloning PM (even though we and many schools have no other option) because it's not always 100% that you will not be giving someone unintended high-level access, even with a very trimmed-down PM clone.

Morgan Kunze · March 2022

@Jess this is such a challenging issue, I agree. We instituted an annual roles/security audit and it does help my team at least remind ourselves of who has what access each spring. My teammate created an awesome document that outlines the users and primary tasks in each role, so that even people who don't spend a lot of time in the system can evaluate this info in a more accessible narrative format. It's really helpful, but also means that we have to remember to update an external doc every time we make a change. ?‍♀️

I struggle also with what access I should have - I share PM with the IT Director, and I also have a LOT of other roles. This seemed important during implementation so that I could see every part of the system, and I do work actively with admissions and the registrar so a lot of it makes functional sense. But I do worry that my god-like access keeps me from understanding some of the system limitations others are seeing and that I'm definitely not adhering to ‘least privilege.'

Other PMs - what additional roles do you have, if you're willing to share?

Kathleen Peak · March 2022

We are definitely struggling with this. We have many cloned platform managers with limited access and we also try to do an annual security audit. We are now looking at how uploading documents to the Files and Forms area can cause private information to be shared with staff that shouldn't see it. We need more granular controls in that area too. We are finding that not only do we have to clone the PM role, we have to clone the non-teaching employee role in order to distinguish between layers/levels of non-teaching staff. For instance, should Advancement and IT see information in Files and Forms. All this to say that Ontario, Canada may soon be faced with GDPR type laws which complicates our setup in BB K-12.

Josceline Reardon · March 2022

Hi,

Would you be willing to share the document your school created? If so, my email is jmreardon@savcds.org. Thank you!!

Jessi Walters · March 2022

Jess, thanks so much for starting this discussion. It's very timely as we will be working to improve the Roles & Access experience in the second half of 2022,

Morgan, can you describe the process of your annual roles audit? I'm curious how you do this today. If you had a magic wand, what would make this process easier for you?

Reshma, which part of the SKY Reporting access is only showing up with the Platform Manager role? This is not intended behavior, so I'd like to understand what you're seeing.

Thanks everyone!

Morgan Kunze · March 2022

@Jessica, as mentioned previously, we're working from a document created by our IT Director. Here's an anonymized version - our working version includes the names of everyone who has each role. Annually we get the management team in a room and walk through this to confirm any changes/pending changes.

What I like about this doc is that it makes the roles/tasks overview digestible for non-techy folks who are stakeholders in our conversation.

The downside of the doc is that it offers an abridged list of tasks, not a comprehensive one - so we could stumble into unintended access.

If I had a magic wand, I would:

Make the task list more user friendly, naming tasks in a way that is clearer (eg. in Academic Group Manager there are two tasks unhelpfully called “Edit Text").
Indicate what tasks are dependent on other tasks/roles, especially across roles.
Indicate explicitly in a role's properties when a role is conferred within a capability (eg. Content Editor, Community Group Owner)
Create and maintain a list of commonly requested tasks with a roadmap to providing access (eg. Jack wants access to People Finder. What role(s) will I need to give Jack, and what tasks will I need to enable, so that he can use this tool in a meaningful way?)

Really appreciate this conversation, and I'm looking forward to seeing the updates!

Julie Horvath · March 2022

Thank you for sharing this! It is a great start for me to download a copy and to begin a similar doc at our school.

Josceline Reardon · April 2022

We are having the opposite issue where people in Sky have access to the grading information. It is a nightmare to monitor because we cannot impersonate and see what they see in SKY.

Brian Gray · April 2022

@Josceline Reardon - I keep a family of fake users in my system. Doing so allows me to investigate a situation when impersonation is not sufficient.

I can log in as any of the fake users in a Chrome Guest Windows and test things that would not work via impersonation.

Josceline Reardon · April 2022

@brian gray I do too. Thank you!!

Derek Nichols · May 2022

Not sure if you caught this, but we have a blog post from 2019 talking about roles and attempting to clean up of certain ones like Platform Managers. Perhaps this could help?

Sylvie Andrews · September 2023

@Reshma Berryman This is an older thread, I know, but I wanted to point out that the issue you describe, where in order to grant a given user access to certain features (reports, in your case) you had to give them Platform Manager or a Platform Manager clone, is STILL a problem in BBEMS, even though Blackbaud just overhauled Security roles management.

Something even funnier? I am the person who previously managed Jess Moxsky's environment, (the person who started this thread) where she's describing seeing too many PM's or PM clones. I HAD to give users those rights in order for BBEMS to be useful to them.

Too many features, like the People Finder, Reporting, and certain lists simply don't work if the user doesn't have some clone of the PM role. They still haven't fixed it.

BBEMS security remains one of the most arcane, inscrutable and poorly-structured permissions systems I've ever administered. I LOVE the new interface they made for it but the roles themselves are still structured wrong.

Roles & the Principle of Least Access

Comments

Categories