Identity & Access Management Update Non Student Lifecycle and Relationships Meeting March 2, 2010 Penn State Identity and Access Management https://iam.psu.edu/ IAM Non Student Lifecycle and Relationships • Level Set on IAM • Penn State IAM • Use Cases • Next Steps Penn State Identity and Access Management https://iam.psu.edu/ Definition of IAM “An administrative process coupled with a technological solution which validates the identity of individuals and allows owners of data, applications, and systems to either maintain centrally or distribute responsibility for granting access to their respective resources to anyone participating within the IAM framework.” - NYS Forum It’s about aligning University policies and processes with the technologies to support management of identities and access to information Penn State Identity and Access Management https://iam.psu.edu/ IAM - The Big Picture Penn State Identity and Access Management https://iam.psu.edu/ What is IAM? • • • • • • • • • • • • • Access to Protected Library Resources Library Staff Access to Integrated Library System Access to Library Public Workstations HMC Affiliate Access to Library Resources Access to Alumni Library Resources Access to Electronic Theses and Dissertations Web Site Graduate School Exit Survey Federating to blogging hosted Services Prospective students applying for financial aid Employee Confidentiality Provisioning of an employee's digital Identity Student early access to residence hall requests and immunization records submissions Grouper Auditing Use Case • • • • • • • • • • • Continuing Education and Adult Students New Students Applying for Admissions and Oncampus Housing Prospective Students Visiting Penn State New Kensington New Faculty and Access to ANGEL and Other Class Resources Adjunct Faculty Activating Access Account New Faculty & Staff Selecting Benefits Terminated Faculty Member Maintains Access Physicians at the Hershey Medical Center and Access to Library Resources Patients, Family Members, and Visitors at the Penn State Hershey Medical Center Alumni Donors Alumni Association • • • • • • • • • • • • • • • • Local Community Member and Short Term Access Accounts Registrar Relationships Student Lifecycle New Students Applying for Undergraduate Admissions Provision of Access to Course Work For Students at a Distance Library Resources ITS Computer Store Access CIC CourseShare Deprovision User content after graduation or resignation Google Cache Updates Access to user content after graduation and or resignation Access to directory data Emergency Rehire Mulitple IDs Deceased Employee Outreach Registration process • • • • • • • • • • • • • • • Updating ISIS Security Profile Multiple Security Realms, Same Userids but Different Passwords ROTC Instructor Affiliation Instructor with Independent Contractor Status Name change switching in the directory Special Affiliates (for example Religious Affiliates) Father and son who is a JR Cloning ISIS Security Profiles New PSUid assigned for new PSU affiliation Student Football Tickets Department Identity DSL Use Case Interview Police Services Use Case Interview Police Services Use Case Police Log Penn State Identity and Access Management https://iam.psu.edu/ Penn State IAM • IAM Stakeholder Committee • Student Lifecycle Committee • IAM Governance • IAM Technical Architect Group • Non-student Lifecycle Committee • IAM Hershey Taskforce Penn State Identity and Access Management https://iam.psu.edu/ IAM Strategic Planning Committee • • • • • • • • • • • • • Auxiliary and Business Services College of Agricultural Sciences Commonwealth Campuses Development and Alumni Relations Information Technology Services Intercollegiate Athletics International Programs Office of Human Resources Office of Sponsored Programs Office of Student Aid Office of the Corporate Controller Office of the Physical Plan Office of the University Bursar • • • • • • • • • • Office of the University Registrar Outreach and Cooperative Extension Penn State Great Valley Penn State Milton S. Hershey Medical Privacy Office The Graduate School Undergraduate Admissions Office Undergraduate Education University Libraries University Police Services Penn State Identity and Access Management https://iam.psu.edu/ IAM Strategic Recommendations 1. Create Central IAM Policy and Governance 2. Develop plan for formal Risk Assessment 3. Create a Single Central Person Registry 4. Add Level of Assurance Component to Credentials 5. Promote Single Sign-on, Federated Identity, and control of University digital identity 6. Streamline Vetting, Proofing, and Issuance of Digital Credentials 7. Streamline and Automate Provisioning/Deprovisioning of Services 8. Promote Awareness and Education of IAM Penn State Identity and Access Management https://iam.psu.edu/ IAM Student Life Cycle Team • • • • • • • • ITS - Consulting & Support Services Auxiliary & Business Services ITS - Security Operations & Services Undergrad Admissions Eberly College of Science Student Affairs - Health Services Dickinson School of Law Undergrad Education - Registrar • • • • • • • ITS - Digital Library Technology Undergraduate Education - Student Aid ITS - Administrative Service Graduate School Smeal College of Business University Outreach Corporate Controller - Bursar Penn State Identity and Access Management https://iam.psu.edu/ Penn State Identity and Access Management https://iam.psu.edu/ Student Lifecycle Recommendations • Expand the lifecycle for student’s digital identities and accounts that enable access to online services and resources—issuing the identities earlier on in the relationship and extending them beyond what are our current normal practices. Penn State Identity and Access Management https://iam.psu.edu/ Student Lifecycle Recommendations • • Expand Use of Student Affiliations and Add Defining Attributes Expanded affiliations and attributes will help to more finely identify the relationship a student has with the University; such as applicant, student, or former student. Allowing access to services according to the student’s affiliation to the University will help ensure students have access to all the services they need, but only those that apply to their affiliation or combination of affiliations. Implement Levels of Assurance with Student Accounts - Levels of Assurance (LoA) will classify the level of certainty the University has that a given digital identity matches a specific individual. The LoA needed to access a given service will vary across services. For example, the assurance of user identity needed for prospective students scheduling campus visits is much lower than for users accessing their transcripts or for faculty reporting grades. Penn State Identity and Access Management https://iam.psu.edu/ Student Lifecycle Recommendations • • Implement a Single Authentication Realm – Phasing out the distinction between Friends of Penn State accounts (FPS) and Access Accounts and moving to single authentication realm will avoid confusion between the two different types of accounts and help eliminate some of our current problems that occur when students are migrated back and forth between realms. Streamline Registration Process – The above recommendations, if put into practice will provide opportunities for streamlining our current registration processes—enabling better customer service, reducing required staff time and resources, and reducing redundant registration activities. Penn State Identity and Access Management https://iam.psu.edu/ IAM Governance Council Co Sponsored by: Rob Pangborn VP and Dean of Undergrad Admissions • VP for Student Affairs, Director • University Police Services • CIO Hershey Medical Center • Sr., VP Research & Dean Grad. School • Assoc.VP of Auxiliary and Business Services • Assoc.VP for Human Resources Kevin Morooney Vice Provost of Information Technology • Vice President of Outreach • Assoc. Dean of Tech - Dickinson School of Law • VP of Commonwealth Campuses • Dean of University Libraries & Scholarly Communications Penn State Identity and Access Management https://iam.psu.edu/ IAM Technical Architect Group • Formed in July 2009 • Charged with furthering Penn State's vision for a comprehensive and • • cohesive IAM solution. Support the University's goal to expand access and opportunities while preserving privacy for the Penn State community. Evaluate, prototype and recommend identity and access management solutions that provide the appropriate access to enterprise resources. Penn State Identity and Access Management https://iam.psu.edu/ IAM Technical Architect Group • Two primary areas of focus in year one • Single Central Person Registry • Access Management Penn State Identity and Access Management https://iam.psu.edu/ Newly Formed(forming) Committees • Non Student Relationships and Lifecycle • IAM Hershey Taskforce Penn State Identity and Access Management https://iam.psu.edu/ IAM Community Site Penn State Identity and Access Management https://iam.psu.edu/ IAM Use Cases Penn State Identity and Access Management https://iam.psu.edu/ Use Case Deceased Employee • Use Case: • • If an employee is deceased and the spouse has benefits through the deceased employee, the spouse must now maintain the benefits. Some records have been changed to now show the spouse's name, as well as provide access to the deceased employee's Penn State Access Account. This then changes all identity linked to the Access Account but without proper records or signatures. • IAM Opportunity: • • Create a comprehensive IAM policy for managing all University relationships. Exploring federating identities as a solution for spousal access to benefits. Penn State Identity and Access Management https://iam.psu.edu/ Use Case • Use Case: • Emergency Rehire A person retires from Penn State. If their position has not been filled and there is a need for that person’s skills, the retiree may be requested to work temporarily as a emergency rehire. This causes problems because when checking IBIS records (OHR), the employee’s status is retired yet their AIS account is still active. In addition, the emergency rehire may also be prohibited from accessing services necessary to do their job because their affiliation is not faculty/staff, but retiree. • IAM Opportunity: • • Create a comprehensive IAM policy for managing all University relationships. Different levels of access may need to be defined for the emergency rehire. Penn State Identity and Access Management https://iam.psu.edu/ Use Case • Name Switching in the Directory Use Case: • • • When a student comes to Penn State their biographical data is stored in the Integrated Student Information System (ISIS). That information is fed to the CACTUS system for updating information in the Penn State Directory. Basic information about the student is displayed in the directory, like their name, and contact information. Post graduation the student may accept a position at Penn State. Their biographical data along with other information about them will not reside in the Integrated Business Information System (IBIS). Like ISIS data, IBIS data is also fed to CACTUS for directory updates. If the employee decides to marry and change their name, IBIS will be updated with the new name which will be propagated to CACTUS and finally the directory. A problem arises if the employee decides to take a class. Now information from both ISIS and IBIS will be fed to CACTUS. If the employee did not update ISIS with their new name, it will flip back and forth between their "maiden" name and their new married name. This will continue until the employee changes their name in ISIS. IAM Opportunity: • To reduce the number of authoritative sources for names and other key data elements. Penn State Identity and Access Management https://iam.psu.edu/ • “If we get this right, there isn’t a unit or constituency that doesn’t benefit. • We have to try to get it right. Continuing on the old trajectories make us more brittle at a time when we need to be more agile.” Kevin Morooney Penn State Identity and Access Management https://iam.psu.edu/