Maybe? I am not sure how much "role assignment" is handled as part of SSO vs. how often SSO is purely authentication and there's another app-tier layer that's doing authorization.
"Role definition" is certainly app-tier, by ... uh... definition.
I'm thinking of something more like a literal terraform config that treats roles as resource templates to be instantiated against human accounts.
And then you just do the equivalent of "tf apply 'New SE' joe@example.com" and a bunch of UX or backend automation updates permissions for Joe in all the things.
And then you publish the role templates, and let your EMs, Sr. SEs, and other opinion-havers about roles start tuning/tweaking/extending/adding. With review and approval from Sec and IT. And then if there's some role definition change, you just roll it out like you would a single user.
"Role definition" is certainly app-tier, by ... uh... definition.
I'm thinking of something more like a literal terraform config that treats roles as resource templates to be instantiated against human accounts.
{ template: "New SE", roles: [ { system: AWS-Live, role: ReadOnly }, { system: SonatypeNexus, role: ReadOnly } ... ] }
And then you just do the equivalent of "tf apply 'New SE' joe@example.com" and a bunch of UX or backend automation updates permissions for Joe in all the things.
And then you publish the role templates, and let your EMs, Sr. SEs, and other opinion-havers about roles start tuning/tweaking/extending/adding. With review and approval from Sec and IT. And then if there's some role definition change, you just roll it out like you would a single user.