Skip to content

Add RBAC role-mining dataset evidence gates#1701

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/rbac-role-mining-evidence
Open

Add RBAC role-mining dataset evidence gates#1701
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/rbac-role-mining-evidence

Conversation

@yanziwei
Copy link
Copy Markdown

@yanziwei yanziwei commented Jun 8, 2026

Skill Improvement ($50-150 Bounty)

Skill

skills/identity/rbac-design/SKILL.md

Closes #1699.

What Was Wrong

rbac-design already included a role-mining process, but it did not require evidence-quality fields for the mining dataset. A role-mining exercise can look valid while the data is stale, incomplete, or biased by privilege creep: dormant users, emergency accounts, direct grants, nested groups, temporary access, service accounts, and contractor entitlements can all become "recommended" roles if the input dataset is not validated before clustering.

What This PR Fixes

  • Adds a Role Mining Dataset Quality Gate before mined roles are accepted as target-state recommendations.
  • Requires source systems, extraction date, observation window, population denominator, coverage gaps, entitlement expansion, account filtering, permission-use evidence, clustering rationale, owner validation, outlier disposition, direct-assignment remediation, and mining confidence.
  • Adds RBAC-MINE-07 through RBAC-MINE-10 for missing dataset coverage, missing entitlement normalization, dirty account populations, and unvalidated candidate-role promotion.
  • Adds a Role Mining Dataset Quality output table.
  • Adds a common pitfall warning about trusting dirty role-mining data.
  • Bumps rbac-design to 1.0.1 and records the change in version history.

Test Cases

  • A point-in-time IAM export with no extraction date, no denominator, and unexpanded nested groups should be Not Evaluable or low confidence.
  • A dataset mixing dormant users, break-glass accounts, service accounts, contractors, and employees should trigger RBAC-MINE-09 unless those populations are separated or filtered.
  • Candidate roles generated from unused privileged access should not be promoted without owner approval and outlier disposition.
  • Direct user-permission assignments should be remediated or explicitly justified before being encoded into target roles.

Validation

  • git diff --check
  • Confirmed the diff is scoped to skills/identity/rbac-design/SKILL.md.
  • Verified required markers are present: Role Mining Dataset Quality Gate, RBAC-MINE-07, RBAC-MINE-10, Role Mining Dataset Quality, and Trusting dirty role-mining data.
  • Checked Markdown code fence balance.

Bounty Tier

Moderate ($100) - adds focused evidence gates that reduce false-ready role-mining recommendations and privilege-creep preservation.

Bounty Info

  • I have read and agree to CONTRIBUTING.md bounty terms.
  • Preferred payment method: PayPal 1005150221@qq.com

@yanziwei yanziwei mentioned this pull request Jun 8, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] rbac-design: add role-mining dataset quality evidence gates

1 participant

@yanziwei