[REVIEW] rbac-design: add role mining separation-of-duty simulation gates
Skill Being Reviewed
Skill name: rbac-design
Skill path: skills/identity/rbac-design/
False Positive Analysis
A proposed role with broad permissions can be acceptable when SoD simulation proves no toxic combination and an owner approves the residual risk.
Coverage Gaps
Role mining should include separation-of-duty simulation before new roles are accepted. Permission clustering alone can create roles that combine request, approve, deploy, and reconcile duties.
Edge Cases
- SoD conflict appears only across two applications.
- Temporary project role becomes permanent.
- Existing users inherit conflict through nested groups.
Remediation Quality
- Add role-mining evidence: candidate role, source entitlements, SoD rules tested, violating users, exception owner, and expiry.
- Require cross-system SoD simulation before rollout.
- Flag roles with unresolved toxic combinations.
Comparison to Other Tools
IGA suites can simulate SoD if rules exist; RBAC design review must ask for the rule evidence.
Overall Assessment
Add SoD simulation gates so role mining does not automate risky combinations.
Bounty Info
[REVIEW] rbac-design: add role mining separation-of-duty simulation gates
Skill Being Reviewed
Skill name:
rbac-designSkill path:
skills/identity/rbac-design/False Positive Analysis
A proposed role with broad permissions can be acceptable when SoD simulation proves no toxic combination and an owner approves the residual risk.
Coverage Gaps
Role mining should include separation-of-duty simulation before new roles are accepted. Permission clustering alone can create roles that combine request, approve, deploy, and reconcile duties.
Edge Cases
Remediation Quality
Comparison to Other Tools
IGA suites can simulate SoD if rules exist; RBAC design review must ask for the rule evidence.
Overall Assessment
Add SoD simulation gates so role mining does not automate risky combinations.
Bounty Info
CONTRIBUTING.mdbounty terms.samik4184@gmail.com