Richard Spencer eStrategy Town Hall June 15, 2004

1
Richard SpencereStrategy Town HallJune 15, 2004

• myUBC Identity

from CWL through the portal and on to identity
management
2
Goals for Identity Management

• make it easier for authorized users to access
  on-line information and services
• reduce the work required to support people,
  departments, committees and other groups
• make it easy to maintain up-to-date contact
  information in all UBC systems
• represent organizational structure and support
  workflow for on-line processes
• improve on-line security
• protect individual privacy

...make our on-line resources work for you
3
We will see a paradigm shift
from "you must carry your identity details with
you and produce them on request" to "if you
can authenticate yourself as you, your current
identity details can be accessed"
4
Please remember....

• We are here to think about, plan, and imagine an
  identity management system
• At this point, we have not finished building CWL
• Its going to take some time to get there
• But we can get there.....
• ....as long as we know where we want to go

5
CWL (Campus-Wide Login) account
Your personal information Login name and
password Name and email address
System information Login key
Administrative information Roles,
e.g. ca.ubc.person.staff ca.ubc.dept.itsv Id
entity keys, e.g. employee number, student
number login name for another app
6
UBC Network Identity
7
Creating a network identity

• In general, we should first create our own CWL
  account. We do this by choosing a CWL login name
  and password.
• we can choose any CWL login name that is not in
  use
• we can change our CWL login name and password
• Our identity will initially be unverified.
• As we provide more information, or our
  relationship with UBC changes, roles and identity
  keys will be added
• Our verified network identity can be used to
  access services and information

8
Example from prospect to student

• Mary Smith goes to a UBC web site, enters
  information, chooses CWL login name justme
• Marys information is added to the SIS
• Marys CWL account is unverified
• Mary self-assesses, pays using a credit card,
  her name and address are confirmed
• Marys now has a verified network identity
• SIS assigns role ID key applicant s/n
• Mary is admitted and is eligible to register
• SIS changes Marys role to student

9
Adding value for Mary

• Mary logs in to the portal
• a link to her new email account appears
• her email account is already provisioned
• default email address is justme_at_ubc.ca
• easily changed to mary_smith_at_ubc.ca
• she can click a link to the CWL website
• change her CWL login name to msmith4
• she can click a link to the SIS to register
• One login, new resources, multiple tasks

10
Example from applicant to employee

• Fred Wong goes to HR website, answers ad, enters
  information, chooses a CWL login name psw
• Freds information is added to the HR repository
• Freds role is applicant, his ID is unverified
• Fred is interviewed, his credentials are checked
• Freds role doesnt change, but his ID is
  verified
• Fred is hired
• When he starts, HRMS assigns role ID key
  staff employee ID
• Freds portal is provisioned for HRMS, FMS,

11
Identity by self-association

• Many of us have access to resources and
  applications before we create a CWL account
• We need to add this information to our CWL
  account, to create a network identity
• Self-association
• create an unverified CWL account
• log into CWL (e.g. by logging into the portal)
• ask to login to the other application
• if requested, login to the application with your
  old credentials
• the application writes these into your CWL
  account, creating a valid network identity
• now, you can login to the application using CWL

12
More examples Access to websites

• Currently
• many web sites have weak protection
• faculty minutes on a website, all faculty members
  have the same password
• With identity management
• roles can be used to manage access
• HRMS knows what Department and Faculty each
  faculty member is appointed to
• HRMS can assign appropriate roles
• ca.ubc.dept.english
• websites in Arts and English department grant
  access based on this role

13
Assigning responsibilities to people

• Authority to appoint people to positions is
  delegated to the people who actually do it
• e.g. Head delegates authority to admin assistant
• Positions can be assigned using roles
• ca.ubc.dept.history.gradadvisor
• Advisors portal can be provisioned with links to
  information
• Membership in committees can be automated
• Email can be directed to the person in the
  position (or forwarded if he/she is too busy..)

14
Other examples?Other opportunities?
15
Groups

• Groups are needed for many reasons
• e.g.
• a standing committee has membership that changes
  over time
• working group is set up for a specific task
• a number of staff have the same responsibility
  for answering email sent to one address
• WebCT requires groups to have access to common
  resources

16
Creating managing groups

• Two approaches
• create a group object, and assign members to it.
• group objects can be created in CWL
• members of the group can do what ever the roles
  of privileges of the group object allow
• create a group by giving all members the same
  roles or privileges
• individuals can be added to or removed from the
  group, without affecting other group members
• We will need administrative applications that
  make it easy to create and maintain groups

17
Roles

• Can be
• generic ca.ubc.person.student
• specific to an application ca.ubc.service.vpn.use
  rs
• specific to an entity ca.ubc.dept.itsv.support
• Rules
• roles must be owned by someone (or a system)
• roles must have an associated policy and
  conditions
• Attributes
• used by applications to determine authority and
  permissions
• can define location in the organizational
  structure

18
Current issues with roles

• No easy way to search for existing roles
• No mechanism for enforcing the application of
  rules and policies
• Delegation of right to create roles is not fully
  implemented
• No role management tools for administrators
• show me all the roles I am responsible for
• show me all the people with these roles
• Currently, roles are added but not removed
• applications have to be changed to fix this

19
Other issues?Other opportunities?
20
Personal contact information

• We have physical and logical addresses
• physical street address, phone number, email
  add.
• logical next of kin, mailing, local residence
• We need a single place to update information
• We should also update info in other applications
• Contact information should be available
• to people
• in an on-line directory
• to other applications
• in the form in which they need it
• We control over who what can see what

21
Some other uses - Entities

• An entity is a
• position
• group
• committee
• administrative unit (e.g. department)
• or other entity
• Entities have
• owners
• positions within the organizational structures
• delegated authority
• members
• They have to be managed

22
Workflow

• Map workflow using
• roles
• entities
• Applications can use their own work flow engines
• role information and organizational structure is
  common to all workflow
• individuals can be associated with
  positions/roles without changing workflow
• authorized administrators can change who is
  associated with a position/role

23
Security and Privacy

• How many identities?
• In general, we should each have a single network
  identity, which we use to access all on-line UBC
  systems and services we are authorized to use
• There will be exceptions. Some people have a
  legitimate need for more than one identity, e.g
• applicants to more than one grad program
• an employee accessing health services
• someone with special responsibilities that are
  different from their normal job responsibilities
• Some people wont have network identities..

24
Further discussion?More issues or ideas?