Meeting Minutes & Action Items Meeting Name UBCO SASI
advertisement
Meeting Minutes & Action Items Meeting Name UBCO SASI Functional To-Be Process Validation for Access and Identity Management (AIM) Date December 15, 2015 Time 2:30 to 4:00 PM Location ART 102 Attendees Name Robert Eggleston Title Michelle Lowton Director, Student Development and Advising, UBCO Debbie Mason Business Analyst, SASI Vasu Narayana Stephanie Oldford Deloitte Consultant Erin Shannon Associate Director, Enrolment Services Acting Dean of the Faculty of Creative and Critical Studies, Associate Professor – English, UBCO Academic Governance Officer, Enrolment Services (comments received via email) Agenda • • • • • • • Our AIM Our Pain Points Our Approach Our Achievements Our Work Progress Our Future (Feedback/Concerns) Our Guiding Principles (Group Activity) # Action Items Raised by 1 Change management team to prepare terminology documentation. Marianne Boyle 2 Review Guiding Principles feedback and recommendations and respond Erin Shannon Owner Due Date NOTES: Our AIM: Create a framework to control access to the new SIS based on who a person is (e.g., admissions advisor) and what duties the employee performs. Page 1 of 4 Meeting Minutes & Action Items Refactor solution for Sauder and Grad to ensure that we have an holistic solution. Our PainPoints: Paper Access Request Forms are confusing to fill in Partial HR Knowledge – status at UBC unknown, no notice of changes/departures Manual Provisioning – manual steps to avoid duplicate accounts, access is additive Manual De-provisioning – access not removed Feedback: General agreement with painpoints. Our Approach Found we are unable to make sense of the SIS roles, and why people have the access they have. Decision to: Look at other universities’ guiding priniciples Research case studies for controlling access. Best example: Pharmaceuticals / Siemens case study where they did a business process review (BPR). Using this template, we validated our processes (E.g. registering for a course, transferring credits) and identified the people involved so that we could learn what the new SIS needs to do. Our Achievements GRASP and Sauder are already operational. Campus Wide Login integrated with the new SIS so we know who is logging in. CWL supports guiding principle that a person has one account. Controlled Access Behavior - use role groups to control what an employee, applicant and/or student can see and do. Feedback: How does that work? What will that look from a practical sense? A1: We have created Web pages accessible from a URL (E.g. evision.as.it.ubc.ca). You enter your CWL to access much like you do to access the current SIS. You do not need to choose whether you are accessing a faculty or a student area. Instead, you will be assigned roles based on what you need to do. If you are an employee you see these areas of eVision, if you are student you see that, if you are both you see both. Our Work Progress Smart Form (online) is an option but we must consider legal requirement to capture signature of approver for requests, FIPPA. Actor Catalogue – identifies our people, our processes and what tasks they are doing in the student lifecycle. Actor Catalogue is based on the discussions in workshops. What are actors? Actors group people at a high level (e.g. the “Dean” actor category includes Dean, Associate Dean, Assistant Dean, Dean’s delegate etc.). Feedback: General discontent with paper form. How will a new online form would actually do anything to fix the problems people have filling in the form? A1: Yes this is true. If a form option is pursued we would engage subject matter experts to understand the business needs, and use our UX team resources to create a dynamic form that shows or hides content based responses from the person completing the form. We do appreciate that using a single form for all of our scenarios is an imperfect solutio. We are thinking this would be better suited for exceptions where we cannot know who will need a particular type of access E.g., permission to view aboriginal student records, or broad-based admissions Page 2 of 4 Meeting Minutes & Action Items reviewers. This is why our primary focus is to automate provisonining to the greatest extent possible. Our Future: Eliminate where possible manual and confusing processes to manage accounts Shell Accounts – pre-emptive strike to create (migrate) employee accounts. Shell account = employee has account in new SIS but no permission to do anything. Can use employee accounts in SIS to inform us who may need account in new SIS. Reports – use HR/SIS information (e.g. create reports to find out which employees have left the university). Account Management - leverage employee details to automatically grant or disable access (to fullest extent possible). Feedback: Q1: Complexity – Robert raised question on student taking a part-time employment opportunity or an employee taking a course, how do we handle such scenarios? A2: We have validated that we can use rules to further control access to data, E.g., if you are a TA you cannot change marks on a course you have taken. Our 8 Guiding Principles Discussion: Feedback stats: Individual Post-its provided with the following input received-1: (1) 2: (1) 3: (1) 4: (0) 5: (1) 6: (1) 7: (1) 8: (0) *9: (0) 1. Ensure the right people, have the right access, to the right information, at the right time. Who decides what is “right”? A1: Systems and people both upstream and downstream elements need to be evaluated Define rightness by starting with actors and gradually developing roles over a period of time and usage pattern Define the right people based on the department, units they are employees of How do you define access around such multiple roles (E.g., Can a student who is TA have access to grade roster?) A2: Limit access based on enrolment history and rules for who may alter grades (via email from Stephanie Oldford) System can operationalize but not necessarily make those judgement calls about who/what/when is right. There is a huge governance/policy piece of work that needs to be done to make the principles work. It may also be that I see access to viewing information as separate from processes and functions that use the information 2. Maintain a single identity for a person in the student information system Question the difficulty with managing a single identity 3. Automate provisioning and de-provisioning access, where possible Some access may need to be reviewed before we automate. A1: We can define which system/functional areas will have automated provisoning and which will need approvals. Page 3 of 4 Meeting Minutes & Action Items 4. Simplify end-user experience 5. Reduce account management overhead Concern around this principle, and it not to be used as a means to reduce payroll. 6. Be transparent and inclusive with partners Are we including students in decision making? A1: We mentioned the student experience survey conducted by UX team as example of our desire to engage students. Who are our partners? A2: Our intention is to bring all groups involved in learning together into one system and that our initial thought was that these are our partners. This question has been raised many times and is may need further discussion/clarification. 7. Adherence to FIPPA and information security policies Need to monitor and review use of accounts 8. Monitor and review appropriate use and transaction of student data How will we track the student information (access to address, email, grades etc.) and who can access/report on it? 9. General feedback Page 4 of 4
