Penn State Identity and Access Management - Identity & Access Management Update Non Student...

Penn State Identity and Access Management - https://iam.psu.edu/

Identity & Access Management

UpdateNon Student Lifecycle and Relationships Meeting

March 2, 2010


IAM Non StudentLifecycle and Relationships

•Level Set on IAM

•Penn State IAM

•Use Cases

•Next Steps


“An administrative process coupled with a technological solution which validates the identity of individuals and allows owners of data, applications, and systems to either maintain centrally or distribute responsibility for granting access to their respective resources to anyone participating within the IAM framework.” - NYS Forum

It’s about aligning University policies and processes with the technologies to support management of identities and access to information

Definition of IAM


IAM - The Big Picture


What is IAM?• Access to Protected Library

Resources• Library Staff Access to Integrated

Library System• Access to Library Public

Workstations• HMC Affiliate• Access to Library Resources• Access to Alumni Library

Resources• Access to Electronic Theses and

Dissertations Web Site• Graduate School Exit Survey

Federating to blogging hosted Services

• Prospective students applying for financial aid

• Employee Confidentiality• Provisioning of an employee's

digital Identity• Student early access to residence

hall requests and immunization records submissions

• Grouper Auditing Use Case

• Continuing Education and Adult Students

• New Students Applying for Admissions and Oncampus Housing

• Prospective Students Visiting Penn State New Kensington

• New Faculty and Access to ANGEL and Other Class Resources

• Adjunct Faculty Activating Access Account

• New Faculty & Staff Selecting Benefits

• Terminated Faculty Member Maintains Access

• Physicians at the Hershey Medical Center and Access to Library Resources

• Patients, Family Members, and Visitors at the Penn State Hershey Medical Center

• Alumni Donors• Alumni Association

• Local Community Member and Short Term Access Accounts

• Registrar Relationships• Student Lifecycle• New Students Applying for

Undergraduate Admissions• Provision of Access to

Course Work For Students at a Distance

• Library Resources• ITS Computer Store Access• CIC CourseShare • Deprovision User content

after graduation or resignation

• Google Cache Updates• Access to user content after

graduation and or resignation• Access to directory data• Emergency Rehire• Mulitple IDs• Deceased Employee• Outreach Registration

process

• Updating ISIS Security Profile• Multiple Security Realms,

Same Userids but Different Passwords

• ROTC Instructor Affiliation• Instructor with Independent

Contractor Status• Name change switching in the

directory• Special Affiliates (for example

Religious Affiliates)• Father and son who is a JR• Cloning ISIS Security Profiles• New PSUid assigned for new

PSU affiliation• Student Football Tickets• Department Identity• DSL Use Case Interview• Police Services Use Case

Interview• Police Services Use Case• Police Log


Penn State IAM

•IAM Stakeholder Committee

•Student Lifecycle Committee

•IAM Governance

•IAM Technical Architect Group

•Non-student Lifecycle Committee

•IAM Hershey Taskforce


IAM Strategic Planning Committee

• Auxiliary and Business Services• College of Agricultural Sciences• Commonwealth Campuses• Development and Alumni Relations• Information Technology Services• Intercollegiate Athletics• International Programs• Office of Human Resources• Office of Sponsored Programs• Office of Student Aid• Office of the Corporate Controller• Office of the Physical Plan• Office of the University Bursar

• Office of the University Registrar• Outreach and Cooperative Extension• Penn State Great Valley• Penn State Milton S. Hershey Medical• Privacy Office• The Graduate School• Undergraduate Admissions Office• Undergraduate Education• University Libraries• University Police Services


IAM Strategic Recommendations

1. Create Central IAM Policy and Governance

2. Develop plan for formal Risk Assessment

3. Create a Single Central Person Registry

4. Add Level of Assurance Component to Credentials

5. Promote Single Sign-on, Federated Identity, and control of University digital identity

6. Streamline Vetting, Proofing, and Issuance of Digital Credentials

7. Streamline and Automate Provisioning/De-provisioning of Services

8. Promote Awareness and Education of IAM


IAM Student Life Cycle Team

• ITS - Consulting & Support Services

• Auxiliary & Business Services

• ITS - Security Operations & Services

• Undergrad Admissions

• Eberly College of Science

• Student Affairs - Health Services

• Dickinson School of Law

• Undergrad Education - Registrar

• ITS - Digital Library Technology

• Undergraduate Education - Student Aid

• ITS - Administrative Service

• Graduate School

• Smeal College of Business

• University Outreach

• Corporate Controller - Bursar


Student Lifecycle Recommendations

•Expand the lifecycle for student’s digital identities and accounts that enable access to online services and resources—issuing the identities earlier on in the relationship and extending them beyond what are our current normal practices.



• Expand Use of Student Affiliations and Add Defining Attributes - Expanded affiliations and attributes will help to more finely identify the relationship a student has with the University; such as applicant, student, or former student. Allowing access to services according to the student’s affiliation to the University will help ensure students have access to all the services they need, but only those that apply to their affiliation or combination of affiliations.

• Implement Levels of Assurance with Student Accounts - Levels of Assurance (LoA) will classify the level of certainty the University has that a given digital identity matches a specific individual. The LoA needed to access a given service will vary across services. For example, the assurance of user identity needed for prospective students scheduling campus visits is much lower than for users accessing their transcripts or for faculty reporting grades.



• Implement a Single Authentication Realm – Phasing out the distinction between Friends of Penn State accounts (FPS) and Access Accounts and moving to single authentication realm will avoid confusion between the two different types of accounts and help eliminate some of our current problems that occur when students are migrated back and forth between realms.

• Streamline Registration Process – The above recommendations, if put into practice will provide opportunities for streamlining our current registration processes—enabling better customer service, reducing required staff time and resources, and reducing redundant registration activities.


IAM Governance Council

Rob PangbornVP and Dean of

Undergrad Admissions

Kevin MorooneyVice Provost of

Information Technology

• VP for Student Affairs, Director• University Police Services• CIO Hershey Medical Center• Sr., VP Research & Dean Grad. School• Assoc.VP of Auxiliary and Business Services• Assoc.VP for Human Resources

Co Sponsored by:

• Vice President of Outreach• Assoc. Dean of Tech - Dickinson School of Law• VP of Commonwealth Campuses• Dean of University Libraries & Scholarly Communications


IAM Technical Architect Group

• Formed in July 2009

• Charged with furthering Penn State's vision for a comprehensive and cohesive IAM solution.

• Support the University's goal to expand access and opportunities while preserving privacy for the Penn State community.

• Evaluate, prototype and recommend identity and access management solutions that provide the appropriate access to enterprise resources.


IAM Technical Architect Group

•Two primary areas of focus in year one

•Single Central Person Registry

•Access Management


Newly Formed(forming)

Committees

•Non Student Relationships and Lifecycle

•IAM Hershey Taskforce


IAM Community Site


IAM Use Cases


Use CaseDeceased Employee

•Use Case:• If an employee is deceased and the spouse has benefits through the

deceased employee, the spouse must now maintain the benefits.

• Some records have been changed to now show the spouse's name, as well as provide access to the deceased employee's Penn State Access Account. This then changes all identity linked to the Access Account but without proper records or signatures.

•IAM Opportunity:• Create a comprehensive IAM policy for managing all University

relationships.

• Exploring federating identities as a solution for spousal access to benefits.


Use CaseEmergency Rehire

•Use Case:• A person retires from Penn State. If their position has not been filled and

there is a need for that person’s skills, the retiree may be requested to work temporarily as a emergency rehire. This causes problems because when checking IBIS records (OHR), the employee’s status is retired yet their AIS account is still active. In addition, the emergency rehire may also be prohibited from accessing services necessary to do their job because their affiliation is not faculty/staff, but retiree.

•IAM Opportunity:• Create a comprehensive IAM policy for managing all University

relationships.

• Different levels of access may need to be defined for the emergency rehire.


Use CaseName Switching in the Directory

• Use Case:

• When a student comes to Penn State their biographical data is stored in the Integrated Student Information System (ISIS). That information is fed to the CACTUS system for updating information in the Penn State Directory. Basic information about the student is displayed in the directory, like their name, and contact information. Post graduation the student may accept a position at Penn State. Their biographical data along with other information about them will not reside in the Integrated Business Information System (IBIS). Like ISIS data, IBIS data is also fed to CACTUS for directory updates.

• If the employee decides to marry and change their name, IBIS will be updated with the new name which will be propagated to CACTUS and finally the directory. A problem arises if the employee decides to take a class. Now information from both ISIS and IBIS will be fed to CACTUS. If the employee did not update ISIS with their new name, it will flip back and forth between their "maiden" name and their new married name. This will continue until the employee changes their name in ISIS.

• IAM Opportunity:

• To reduce the number of authoritative sources for names and other key data elements.


•“If we get this right, there isn’t a unit or constituency that doesn’t benefit.

•We have to try to get it right. Continuing on the old trajectories make us more brittle at a time when we need to be more agile.” Kevin Morooney

Penn State Identity and Access Management - Identity & Access Management Update Non Student...

Documents

Transcript of Penn State Identity and Access Management - Identity & Access Management Update Non Student...