Title: Identity and Access Management Overview
1Identity and Access Management Overview December
2008 Rod Gustavson
2What is Identity and Access Management
Definition
The definitive source and processes for
determining and maintaining electronic access
control in principle for members of the Yale
community including faculty, staff, students,
alumni, associates, applicants and matriculates
and those affiliated with Yale now or in the
future. This is based on attributes derived
from canonical source business data. The project
also creates the framework for future access
control needs, including provisioning and
auditing.
3What is Identity and Access Management
Features
- Features of IDM
- Consolidates information from multiple sources
- Synchronizes data between sources, keeping all
systems up-to-date - Maintains detailed audit trails
- Provides request based provisioning, with
approvals were necessary (replacing START) - Understands roles and hierarchies, including
approval hierarchies - Provides automatic, role based provisioning, with
approvals where necessary - Removes/updates access as roles and other
attributes change - Consolidated source for tracking what access a
person has
4What is Identity and Access Management Legacy
State
Where We Were Diagram
- Identity Challenges
- Authoritative identity sources fed one another
- Data became stale or orphaned
- We made up roles student and employee
- Only select Alumni have NETIDs
- Provisioning Challenges
- Up to 72 hours to get a NETID into HR
- Up to 48 hours for updates to the Directory
- Auditing access was not uniformly performed
- The administrator console to reset NETID
passwords, maintain user accounts, and bill for
IT services is a Yale custom tool, challenging to
maintain - ITS Merge with ITS-Med created dual systems for
tracking and maintaining access - Self-Service to request access to services
(backup, oracle, etc) uses manually maintained
approvals and authorizations
5Phase 1 - Identity and Access Management
Current State (Compete)
Where We Are Diagram
- Identity Principles
- Authoritative identity sources are reconciled in
one location - The authoritative source owns and updates the
data, other sources can subscribe to data - Only data necessary for provisioning decisions or
synchronizing with other systems is carried by
IDM
Student Data
HR Data
- Phase 1 Goals
- Creating the Identity Infrastructure
- Document the use cases for canonical sources for
identities Human Resources, Student Information
Systems and Alumni - Install and Create the Infrastructure
- Create the connectors
- Design and code complex identity reconciliation
(Fuzzy Matching) - Audit trail
- Synchronize Identity Sources
- Human Resources
- Student Information Systems
- HR records created for Students by IDM
- Begin Global Provisioning
- Yale UPI
- NETID (within 2 hours)
- LDAP Directory (with more robust privacy rules
and more timely updates
IDM
Generate UPI
LDAP Directory
Create Net ID
Net ID System
6Phase 2 - Identity and Access Management - Planned
Where Were Headed Diagram
- Create the Roles Infrastructure
- Create the hierarchies for financial,
organizational, academic and grants - Create the roles within each hierarchy
- Build access profiles for the roles
- Install roles management within IDM (many to one
relationship) - Synchronize Identity Sources
- Alumni and Donors
- Hierarchies
- Expand Service Provisioning
- Replace legacy NetAdmin console with an interface
to IDM for provisioning and account status - Replace legacy Remedy service tracking and
billing with IDM - Provision core IT services such as IMAP, Exchange
mail, active directory attributes/groups, and
central backup through HP Service Desk - Provision systems such as SciQuest, Expense
Management, ID Cards and others - Automatically deprovision systems and services
when a person leaves Yale - Create automated provisioning based on roles
- Create self-service request for services with
approvals based on respective hierarchy
Students
HR
Alumni Donors
Hierarchy Data
Admin Console (HP Svc Desk)
Role Manager
IDM
Generate UPI
LDAP Directory
Create Net ID
More IT Services
AD and AD Groups
Net ID System
People File NG
7Assumptions and Risks
Phase 2 - Identity and Access Management
- Assumptions, Constraints and Risks
- Assumptions
- Oracle Roles Manager will be the product of
choice to integrate with Oracle HREB, and OIM - Self-service provisioning waiting approvals and
status of requests can be interfaced with the
Uportal via PBII (or HP Service Catalog) - Strong functional teams available to develop
models for grants, academic, org and financial
approval hierarchy - All of Yales services and requests can be
approved/rejected using one or more of these 4
approval flows - Constraints
- Automatic provisioning depends on clear role
definitions and services associated with those
roles - Resource constraints of functional staff or
subject matter experts for roles engineering and
creation - Dependencies between existing systems require
careful planning and coordination so as to avoid
disruption of service - Risks
- Our self-service provisioning model currently
uses manually maintained approval tables if we
are unable to create automatically maintained
approval hierarchies, we will have to recreate a
means to manually maintain them (increasing the
scope, long term cost of ownership, while
increasing risk of process gaps such as lack of
approver in a specific area) - High risk in maintaining shadow systems such as
Remedy and NetAdmin, both highly customized with
high maintenance cost (too risky to stop
provisioning work) - Oracle products do not always deliver the
documented functionality (and therefore time and
budget contingencies should be considered)