Identity and Access Management Overview - PowerPoint PPT Presentation

1 / 7
About This Presentation
Title:

Identity and Access Management Overview

Description:

The definitive source and processes for determining and ... People File NG. Admin Console (HP Svc Desk) Where We're Headed Diagram. 7. ISAP Planning Project ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 8
Provided by: hania
Category:

less

Transcript and Presenter's Notes

Title: Identity and Access Management Overview


1
Identity and Access Management Overview December
2008 Rod Gustavson
2
What is Identity and Access Management
Definition
The definitive source and processes for
determining and maintaining electronic access
control in principle for members of the Yale
community including faculty, staff, students,
alumni, associates, applicants and matriculates
and those affiliated with Yale now or in the
future. This is based on attributes derived
from canonical source business data. The project
also creates the framework for future access
control needs, including provisioning and
auditing.
3
What is Identity and Access Management
Features
  • Features of IDM
  • Consolidates information from multiple sources
  • Synchronizes data between sources, keeping all
    systems up-to-date
  • Maintains detailed audit trails
  • Provides request based provisioning, with
    approvals were necessary (replacing START)
  • Understands roles and hierarchies, including
    approval hierarchies
  • Provides automatic, role based provisioning, with
    approvals where necessary
  • Removes/updates access as roles and other
    attributes change
  • Consolidated source for tracking what access a
    person has

4
What is Identity and Access Management Legacy
State
Where We Were Diagram
  • Identity Challenges
  • Authoritative identity sources fed one another
  • Data became stale or orphaned
  • We made up roles student and employee
  • Only select Alumni have NETIDs
  • Provisioning Challenges
  • Up to 72 hours to get a NETID into HR
  • Up to 48 hours for updates to the Directory
  • Auditing access was not uniformly performed
  • The administrator console to reset NETID
    passwords, maintain user accounts, and bill for
    IT services is a Yale custom tool, challenging to
    maintain
  • ITS Merge with ITS-Med created dual systems for
    tracking and maintaining access
  • Self-Service to request access to services
    (backup, oracle, etc) uses manually maintained
    approvals and authorizations

5
Phase 1 - Identity and Access Management
Current State (Compete)
Where We Are Diagram
  • Identity Principles
  • Authoritative identity sources are reconciled in
    one location
  • The authoritative source owns and updates the
    data, other sources can subscribe to data
  • Only data necessary for provisioning decisions or
    synchronizing with other systems is carried by
    IDM

Student Data
HR Data
  • Phase 1 Goals
  • Creating the Identity Infrastructure
  • Document the use cases for canonical sources for
    identities Human Resources, Student Information
    Systems and Alumni
  • Install and Create the Infrastructure
  • Create the connectors
  • Design and code complex identity reconciliation
    (Fuzzy Matching)
  • Audit trail
  • Synchronize Identity Sources
  • Human Resources
  • Student Information Systems
  • HR records created for Students by IDM
  • Begin Global Provisioning
  • Yale UPI
  • NETID (within 2 hours)
  • LDAP Directory (with more robust privacy rules
    and more timely updates

IDM
Generate UPI
LDAP Directory
Create Net ID
Net ID System
6
Phase 2 - Identity and Access Management - Planned
Where Were Headed Diagram
  • Create the Roles Infrastructure
  • Create the hierarchies for financial,
    organizational, academic and grants
  • Create the roles within each hierarchy
  • Build access profiles for the roles
  • Install roles management within IDM (many to one
    relationship)
  • Synchronize Identity Sources
  • Alumni and Donors
  • Hierarchies
  • Expand Service Provisioning
  • Replace legacy NetAdmin console with an interface
    to IDM for provisioning and account status
  • Replace legacy Remedy service tracking and
    billing with IDM
  • Provision core IT services such as IMAP, Exchange
    mail, active directory attributes/groups, and
    central backup through HP Service Desk
  • Provision systems such as SciQuest, Expense
    Management, ID Cards and others
  • Automatically deprovision systems and services
    when a person leaves Yale
  • Create automated provisioning based on roles
  • Create self-service request for services with
    approvals based on respective hierarchy

Students
HR
Alumni Donors
Hierarchy Data
Admin Console (HP Svc Desk)
Role Manager
IDM
Generate UPI
LDAP Directory
Create Net ID
More IT Services
AD and AD Groups
Net ID System
People File NG
7
Assumptions and Risks
Phase 2 - Identity and Access Management
  • Assumptions, Constraints and Risks
  • Assumptions
  • Oracle Roles Manager will be the product of
    choice to integrate with Oracle HREB, and OIM
  • Self-service provisioning waiting approvals and
    status of requests can be interfaced with the
    Uportal via PBII (or HP Service Catalog)
  • Strong functional teams available to develop
    models for grants, academic, org and financial
    approval hierarchy
  • All of Yales services and requests can be
    approved/rejected using one or more of these 4
    approval flows
  • Constraints
  • Automatic provisioning depends on clear role
    definitions and services associated with those
    roles
  • Resource constraints of functional staff or
    subject matter experts for roles engineering and
    creation
  • Dependencies between existing systems require
    careful planning and coordination so as to avoid
    disruption of service
  • Risks
  • Our self-service provisioning model currently
    uses manually maintained approval tables if we
    are unable to create automatically maintained
    approval hierarchies, we will have to recreate a
    means to manually maintain them (increasing the
    scope, long term cost of ownership, while
    increasing risk of process gaps such as lack of
    approver in a specific area)
  • High risk in maintaining shadow systems such as
    Remedy and NetAdmin, both highly customized with
    high maintenance cost (too risky to stop
    provisioning work)
  • Oracle products do not always deliver the
    documented functionality (and therefore time and
    budget contingencies should be considered)
Write a Comment
User Comments (0)
About PowerShow.com