ACE PlatformCIDM Roles

Introduction

This document contains information about CIDM and how it is used to manage access for ACE teams as well as some external teams. CIDM has two workflows that we use:

  1. Role Workflow. Roles are a collection of groups that control access to multiple resources based on the groups associated with that role. The workflow for a role is more complex then a group workflow and allows users to request access or have access requested on their behalf to the role. The workflow can require multiple actions before access is granted. In our case, these actions are automated training checks and manual approval for a role by a role owner(s). Upon completion of the workflow, the user will be added to multiple AD groups for that role.
  2. Group Workflow. Groups are AD groups that control access to a specific resoure, such as AWS or Labelbox. Groups have a simple workflow and allows users to request access or have access requested on their behalf to be added to the group. The workflow is limited to one action before access is granted. In our case, the action is approval for the group by the group owner.

Limitations of CIDM

  • CIDM does not currently support adding users to email distribution lists
  • Training codes can be changed by training owners. If this occurs teams will need to identify the new training codes and open a ticket with the CIDM team to update the role

Role Workflow

image

  • Managers or other team members can request access on behalf of new team members
  • If a person who is an approver of a role requests access on behalf of a user, the requirement to approve the request will be bypassed
  • The email to approve the request will come from CIDM. Approvals occur in CIDM and require approvers to log into CIDM to approve requests

Group Workflow

  • The flow is exactly the same as the Role Workflow, however, the training check is not done
  • When a Group Workflow is started by a request in CIDM, an email is sent to desginated group owner(s) who must approve the access in CIDM

Training Requirements

All Role Workflows currently enforce the following trainings to be completed before moving to the approval step in the workflow.

Training NameCourse Code
Roche Behaviour in Business (RoBiB)00888225-1.0
US Privacy Awareness00870334-1.0
Privacy Awareness (Roche)00653804-1.0
Info Security End User Awareness for all Roche Employees01240050-1.0
HCO Privacy 101 Overview Privacy at GNE00352862-1.0
Clinical Trial Patient Privacy01341743-1.0

Workflow Role Definitions

See this spreadsheet for details.

AWS S3 Bucket DesignContainerization Guidelines