Identity and Access Management Initiative Overview Update

1
Identity and Access Management Initiative
Overview / Update
UITC Meeting, March 11, 2009
Mark Scheible Manager, Identity and Access
Management
2
Background (from IAM Charter) Identity and
Access Management (IAM) deals first and foremost
with an individuals personal identifiers and
attributes that distinguish them from all other
university students, employees, affiliates or
guests. That data, and the credentials that are
issued to the individual (username/UnityID and
password) are used to identify or authenticate
the individual. Access to university and
external resources (authorization) is granted to
individuals based upon the entitlements they
receive. These entitlements are issued as a
result of group memberships (e.g. all faculty,
second year engineering students, etc.)
determined by various attribute values the user
has (e.g. affiliation, year and program of study,
etc.). All of this identity data must be
authoritative, secured, and accessible to those
who have the authorization to use it. It is
generally made available for this purpose through
an enterprise directory service.
3

• IAM Charter Objectives
• Create and implement a cohesive Identity and
  Access Management Roadmap
• Provide leadership in the definition, protection
  and use of identity data for Students, Employees,
  Guests and Affiliates of the University
• Simplify and enhance the campus authentication
  infrastructure
• Enable secure, reliable access to campus
  resources and services for the NC State community
  that is easily maintained through the use of
  roles and group membership
• Implement an Enterprise Directory Service for
  campus to provide a single, secure location for
  commonly accessed authoritative user and resource
  data
• Enable and support the federation of campus
  identities
• Reduce overall administrative costs and ensure
  effectiveness and adaptability of IAM services

4

• A Few Examples of IAM Challenges or
  Opportunities
• Defining Affiliation Types and what Services to
  provide them, and how (e.g. The Student
  Lifecycle, Parents, Friends of the Library,
  Vendors, Summer Session Instructors, campers,
  etc.)
• Automatically provision user account(s) as a
  result of an HR Action, and De-Provision their
  access when they leave.
• Provide access to applications, resources, etc.
  automatically, based upon what attributes or
  roles a user has (via group management)
• Being able to authenticate (login) once, no
  matter what client platform, and access your
  campus resources.
• Consolidating the directories used on campus,
  and creating a central Enterprise Directory
  Service to provide employee and student identity
  data to users and applications.
• Providing granular access via Shibboleth to web
  applications located both on campus and in
  external federations.

5
IAM Initiative Team Structure (http//oit.ncsu.edu
/iam)
(Team tasked with reviewing IAM Projects and
setting priorities and recommending funding
requests Recommends to VCIT. Representatives
include HR, EMAS, Extension, UPA, AITD, Internal
Audit, Grad School, Advancement Services, OIS,
DELTA, Finance and Business, NCSU Libraries, OIT)
IAM Oversight Committee (Sponsors) Marc Hoit,
Chairperson
(Team which has the responsibility for reviewing
the relationships between all IAM Services and
proposing new project strategies to the Oversight
Committee and VCIT. Also responsible for the
creation of project teams, setting expectations
and for reviewing progress. Representatives from
various colleges, designated entities and OIT)
IAM Service Team Mark Scheible, Chairperson
IAM Working Groups / Project Teams
Enterprise Directory Service WG
Active Directory WG
Shibboleth-Fed WG
Password Mgmt WG
(Primarily technical teams for implementing IAM
Projects Collaborative Efforts Recommends to
the IAM Service Team. Representatives would be
project specific from designated areas)
6
IAM Service Team
IAM Service Team Mark Scheible, Chairperson
http//oit.ncsu.edu/iam/iam-service-team
Members Mark Scheible (OIT IAM)  (Chair)Billy
Beaudoin (College of Engineering)Daniel
Henninger (CHASS)James Bossert (CALS)Jeff
Webster (DELTA)Danny Davis (OIT TSS)Neal
McCorkle (OIT - SC)Jack Foster (OIT -
EAS)Maurice York (NCSU Libraries)John Klein
(OIT - ISO)Ralph Castanza (OIT ISO)Shawn
Dunning (College of Textiles)Leslie Dare
(Student Affairs) Leo Howell (Internal Audit,
ex-officio)
Current Deliverables Development of an IAM
Roadmap (review other universities
documents) Discuss membership of additional
working groups
7
Active Directory Working Group
Active Directory WG
http//oit.ncsu.edu/iam/active-directory-working-g
roup
Members Billy Beaudoin (COE - ITECS)
Co-chairDanny Davis (OIT - TSS) Co-chairMark
Scheible (OIT - IAM)Dan Green (COE -
ECE)Richard Norris (CNR)John Klein (OIT -
ISO)Eric Silberberg (OIT - ISO)Scott Callicutt 
(PAMS) Brian Fields (CALS) David Ladrie (OIT -
TSS)
Current Deliverables Decision on single
campus-wide Active Directory Discussion of
Governance models Discuss membership of
sub-teams for migration, default OU
settings, customer experience Work on MOU
(Memorandum of Understanding) for member OUs
(Organizational Units)
8
Shibboleth-Federation Working Group
Shibboleth-Fed WG
http//oit.ncsu.edu/iam/shibboleth-federation-work
ing-group
Members Mark Scheible (OIT-IAM) Interim
ChairJeff Webster (DELTA)Charles Brabec
(OIT-ISO)Josh Thompson (OIT-Advanced
Computing)Billy Beaudoin (COE-ITECS)Tim Mori
(NCSU Libraries)Libby Habeck (OIT-IAM) Leo
Howell (Internal Audit, ex-officio)
Current Deliverables Figure out details around
NCTrust Federation Work with VCL and NCLive to
get their SPs up Look at Attribute Release
Policy editor tool Review other Internet2
Middleware tools for IAM Discuss creation of NC
State Federation (or use UNC Identity Federation)
for campus Shibboleth implementations
9

• Future Working Groups / Project Teams
• Enterprise Directory Service
• Password Management
• University Affiliation and Services Team
• Guest/Affiliate Accounts and Services

10
Questions?