Identity & Access Management Update

advertisement
Identity & Access
Management Update
Non Student Lifecycle and Relationships Meeting
March 2, 2010
Penn State Identity and Access Management https://iam.psu.edu/
IAM Non Student
Lifecycle and Relationships
• Level Set on IAM
• Penn State IAM
• Use Cases
• Next Steps
Penn State Identity and Access Management https://iam.psu.edu/
Definition of IAM
“An administrative process coupled with a
technological solution which validates the
identity of individuals and allows owners of
data, applications, and systems to either
maintain centrally or distribute responsibility
for granting access to their respective
resources to anyone participating within the
IAM framework.” - NYS Forum
It’s about aligning University policies and
processes with the technologies to
support management of identities and
access to information
Penn State Identity and Access Management https://iam.psu.edu/
IAM - The Big Picture
Penn State Identity and Access Management https://iam.psu.edu/
What is IAM?
•
•
•
•
•
•
•
•
•
•
•
•
•
Access to Protected Library
Resources
Library Staff Access to Integrated
Library System
Access to Library Public
Workstations
HMC Affiliate
Access to Library Resources
Access to Alumni Library
Resources
Access to Electronic Theses and
Dissertations Web Site
Graduate School Exit Survey
Federating to blogging hosted
Services
Prospective students applying for
financial aid
Employee Confidentiality
Provisioning of an employee's
digital Identity
Student early access to residence
hall requests and immunization
records submissions
Grouper Auditing Use Case
•
•
•
•
•
•
•
•
•
•
•
Continuing Education and Adult
Students
New Students Applying for
Admissions and Oncampus
Housing
Prospective Students Visiting
Penn State New Kensington
New Faculty and Access to
ANGEL and Other Class
Resources
Adjunct Faculty Activating
Access Account
New Faculty & Staff Selecting
Benefits
Terminated Faculty Member
Maintains Access
Physicians at the Hershey
Medical Center and Access to
Library Resources
Patients, Family Members, and
Visitors at the Penn State
Hershey Medical Center
Alumni Donors
Alumni Association
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Local Community Member
and Short Term Access
Accounts
Registrar Relationships
Student Lifecycle
New Students Applying for
Undergraduate Admissions
Provision of Access to Course
Work For Students at a
Distance
Library Resources
ITS Computer Store Access
CIC CourseShare
Deprovision User content
after graduation or resignation
Google Cache Updates
Access to user content after
graduation and or resignation
Access to directory data
Emergency Rehire
Mulitple IDs
Deceased Employee
Outreach Registration
process
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Updating ISIS Security Profile
Multiple Security Realms,
Same Userids but Different
Passwords
ROTC Instructor Affiliation
Instructor with Independent
Contractor Status
Name change switching in the
directory
Special Affiliates (for example
Religious Affiliates)
Father and son who is a JR
Cloning ISIS Security Profiles
New PSUid assigned for new
PSU affiliation
Student Football Tickets
Department Identity
DSL Use Case Interview
Police Services Use Case
Interview
Police Services Use Case
Police Log
Penn State Identity and Access Management https://iam.psu.edu/
Penn State IAM
• IAM Stakeholder Committee
• Student Lifecycle Committee
• IAM Governance
• IAM Technical Architect Group
• Non-student Lifecycle Committee
• IAM Hershey Taskforce
Penn State Identity and Access Management https://iam.psu.edu/
IAM Strategic Planning Committee
•
•
•
•
•
•
•
•
•
•
•
•
•
Auxiliary and Business Services
College of Agricultural Sciences
Commonwealth Campuses
Development and Alumni Relations
Information Technology Services
Intercollegiate Athletics
International Programs
Office of Human Resources
Office of Sponsored Programs
Office of Student Aid
Office of the Corporate Controller
Office of the Physical Plan
Office of the University Bursar
•
•
•
•
•
•
•
•
•
•
Office of the University Registrar
Outreach and Cooperative Extension
Penn State Great Valley
Penn State Milton S. Hershey Medical
Privacy Office
The Graduate School
Undergraduate Admissions Office
Undergraduate Education
University Libraries
University Police Services
Penn State Identity and Access Management https://iam.psu.edu/
IAM Strategic Recommendations
1. Create Central IAM Policy and Governance
2. Develop plan for formal Risk Assessment
3. Create a Single Central Person Registry
4. Add Level of Assurance Component to Credentials
5. Promote Single Sign-on, Federated Identity, and
control of University digital identity
6. Streamline Vetting, Proofing, and Issuance of Digital
Credentials
7. Streamline and Automate Provisioning/Deprovisioning of Services
8. Promote Awareness and Education of IAM
Penn State Identity and Access Management https://iam.psu.edu/
IAM Student Life Cycle Team
•
•
•
•
•
•
•
•
ITS - Consulting & Support Services
Auxiliary & Business Services
ITS - Security Operations & Services
Undergrad Admissions
Eberly College of Science
Student Affairs - Health Services
Dickinson School of Law
Undergrad Education - Registrar
•
•
•
•
•
•
•
ITS - Digital Library Technology
Undergraduate Education - Student
Aid
ITS - Administrative Service
Graduate School
Smeal College of Business
University Outreach
Corporate Controller - Bursar
Penn State Identity and Access Management https://iam.psu.edu/
Penn State Identity and Access Management https://iam.psu.edu/
Student Lifecycle
Recommendations
• Expand the lifecycle for student’s digital
identities and accounts that enable
access to online services and
resources—issuing the identities earlier
on in the relationship and extending
them beyond what are our current
normal practices.
Penn State Identity and Access Management https://iam.psu.edu/
Student Lifecycle
Recommendations
•
•
Expand Use of Student Affiliations and Add Defining Attributes Expanded affiliations and attributes will help to more finely identify the
relationship a student has with the University; such as applicant,
student, or former student. Allowing access to services according to
the student’s affiliation to the University will help ensure students have
access to all the services they need, but only those that apply to their
affiliation or combination of affiliations.
Implement Levels of Assurance with Student Accounts - Levels of
Assurance (LoA) will classify the level of certainty the University has
that a given digital identity matches a specific individual. The LoA
needed to access a given service will vary across services. For
example, the assurance of user identity needed for prospective
students scheduling campus visits is much lower than for users
accessing their transcripts or for faculty reporting grades.
Penn State Identity and Access Management https://iam.psu.edu/
Student Lifecycle
Recommendations
•
•
Implement a Single Authentication Realm – Phasing out the
distinction between Friends of Penn State accounts (FPS) and Access
Accounts and moving to single authentication realm will avoid
confusion between the two different types of accounts and help
eliminate some of our current problems that occur when students are
migrated back and forth between realms.
Streamline Registration Process – The above recommendations, if
put into practice will provide opportunities for streamlining our current
registration processes—enabling better customer service, reducing
required staff time and resources, and reducing redundant registration
activities.
Penn State Identity and Access Management https://iam.psu.edu/
IAM Governance Council
Co Sponsored by:
Rob Pangborn
VP and Dean of
Undergrad Admissions
• VP for Student Affairs, Director
• University Police Services
• CIO Hershey Medical Center
• Sr., VP Research & Dean Grad. School
• Assoc.VP of Auxiliary and Business
Services
• Assoc.VP for Human Resources
Kevin Morooney
Vice Provost of
Information Technology
• Vice President of Outreach
• Assoc. Dean of Tech - Dickinson
School of Law
• VP of Commonwealth Campuses
• Dean of University Libraries &
Scholarly Communications
Penn State Identity and Access Management https://iam.psu.edu/
IAM Technical Architect Group
• Formed in July 2009
• Charged with furthering Penn State's vision for a comprehensive and
•
•
cohesive IAM solution.
Support the University's goal to expand access and opportunities while
preserving privacy for the Penn State community.
Evaluate, prototype and recommend identity and access management
solutions that provide the appropriate access to enterprise resources.
Penn State Identity and Access Management https://iam.psu.edu/
IAM Technical Architect
Group
• Two primary areas of focus in year one
• Single Central Person Registry
• Access Management
Penn State Identity and Access Management https://iam.psu.edu/
Newly Formed(forming)
Committees
• Non Student Relationships and
Lifecycle
• IAM Hershey Taskforce
Penn State Identity and Access Management https://iam.psu.edu/
IAM Community Site
Penn State Identity and Access Management https://iam.psu.edu/
IAM Use Cases
Penn State Identity and Access Management https://iam.psu.edu/
Use Case
Deceased Employee
• Use Case:
•
•
If an employee is deceased and the spouse has benefits through the
deceased employee, the spouse must now maintain the benefits.
Some records have been changed to now show the spouse's name, as well
as provide access to the deceased employee's Penn State Access Account.
This then changes all identity linked to the Access Account but without proper
records or signatures.
• IAM Opportunity:
•
•
Create a comprehensive IAM policy for managing all University relationships.
Exploring federating identities as a solution for spousal access to benefits.
Penn State Identity and Access Management https://iam.psu.edu/
Use Case
• Use Case:
•
Emergency Rehire
A person retires from Penn State. If their position has not been filled and
there is a need for that person’s skills, the retiree may be requested to work
temporarily as a emergency rehire. This causes problems because when
checking IBIS records (OHR), the employee’s status is retired yet their AIS
account is still active. In addition, the emergency rehire may also be
prohibited from accessing services necessary to do their job because their
affiliation is not faculty/staff, but retiree.
• IAM Opportunity:
•
•
Create a comprehensive IAM policy for managing all University relationships.
Different levels of access may need to be defined for the emergency rehire.
Penn State Identity and Access Management https://iam.psu.edu/
Use Case
•
Name Switching in the Directory
Use Case:
•
•
•
When a student comes to Penn State their biographical data is stored in the Integrated
Student Information System (ISIS). That information is fed to the CACTUS system for
updating information in the Penn State Directory. Basic information about the student is
displayed in the directory, like their name, and contact information. Post graduation the
student may accept a position at Penn State. Their biographical data along with other
information about them will not reside in the Integrated Business Information System (IBIS).
Like ISIS data, IBIS data is also fed to CACTUS for directory updates.
If the employee decides to marry and change their name, IBIS will be updated with the new
name which will be propagated to CACTUS and finally the directory. A problem arises if the
employee decides to take a class. Now information from both ISIS and IBIS will be fed to
CACTUS. If the employee did not update ISIS with their new name, it will flip back and forth
between their "maiden" name and their new married name. This will continue until the
employee changes their name in ISIS.
IAM Opportunity:
•
To reduce the number of authoritative sources for names and other key data elements.
Penn State Identity and Access Management https://iam.psu.edu/
• “If we get this right, there isn’t a unit or
constituency that doesn’t benefit.
• We have to try to get it right.
Continuing
on the old trajectories make us more
brittle at a time when we need to be
more agile.”
Kevin Morooney
Penn State Identity and Access Management https://iam.psu.edu/
Download