Skill Review ($25 Bounty)
Skill
skills/identity/rbac-design/SKILL.md
What needs improvement
rbac-design includes a role-mining process and useful RBAC-MINE-* checks, but it does not require evidence quality fields for the mining dataset itself. A role-mining exercise can look valid while the input data is stale, incomplete, or biased by privilege creep.
False-ready example
role_mining:
source: IAM export
users: 420
permissions: 1800
overlap_threshold: 80%
candidate_roles: 38
business_validation: planned
dataset_window: unknown
direct_vs_inherited_permissions: not_expanded
dormant_accounts_removed: unknown
break_glass_excluded: unknown
contractors_separated: no
owner_signoff: missing
This can produce plausible clusters, but it should not be treated as strong RBAC design evidence. The mining data may include dormant users, emergency accounts, inherited group permissions that were not expanded, stale one-time access, contractors mixed with employees, or direct assignments that should be remediated rather than encoded into new roles.
Coverage gaps
- No required dataset window, extraction date, source systems, or coverage denominator.
- No proof that direct, inherited, nested-group, and temporary/JIT entitlements were normalized before clustering.
- No dormant/orphaned/break-glass/service-account filtering evidence.
- No permission-use or last-used evidence to separate necessary access from historical privilege creep.
- No owner signoff per candidate role before roles are promoted into the target model.
- No output table for mining confidence, outlier disposition, or remediated direct assignments.
Suggested fix
Add role-mining dataset quality evidence gates:
- capture data source, extraction date, observation window, user population, entitlement population, and coverage gaps;
- require expansion of direct, inherited, nested-group, JIT, and temporary assignments;
- require filtering or explicit separation of dormant accounts, break-glass accounts, service accounts, contractors, and test users;
- record permission-use/last-used evidence where available and do not encode unused privilege into candidate roles without owner approval;
- require business/resource-owner validation, outlier disposition, and direct-assignment remediation before role promotion;
- add output fields for role-mining confidence and Not Evaluable reasons.
Bounty Info
Skill Review ($25 Bounty)
Skill
skills/identity/rbac-design/SKILL.mdWhat needs improvement
rbac-designincludes a role-mining process and usefulRBAC-MINE-*checks, but it does not require evidence quality fields for the mining dataset itself. A role-mining exercise can look valid while the input data is stale, incomplete, or biased by privilege creep.False-ready example
This can produce plausible clusters, but it should not be treated as strong RBAC design evidence. The mining data may include dormant users, emergency accounts, inherited group permissions that were not expanded, stale one-time access, contractors mixed with employees, or direct assignments that should be remediated rather than encoded into new roles.
Coverage gaps
Suggested fix
Add role-mining dataset quality evidence gates:
Bounty Info
1005150221@qq.com