Pennsylvania Banner Users Group 2008 Fall Conference

Campus Identity Management in a Banner World

Introductions

Lehigh University Sara Rodgers – Team Lead Identity & Access

Management Tricia Wilson – Banner Senior Analyst

APTEC, LLC Aaron Perry - President

General Announcements:

Please remember to silence all cell phones/pagers

Please hold all questions to the end of the presentation.

Thank you for your cooperation

Agenda

Overview of Campus Identity and Access Management (IAM)

Identity in Higher Education Banner Identity Management Reference

Architecture Lehigh University Case Study

Use Case: Banner Faculty Provisioning / On-Board Process

High Level Oracle Identity Management Architecture Project & Technical Considerations Implementing

Identity Management in a Banner Environment4

Campus Identity & Access Management (“IAM”)

Hosted By The University of Mary Washington 5NOS/DirectoriesOS (Unix)

Systems & RepositoriesApplications

ERP CRM HR Mainframe

Auditingand

ReportingWorkflow and orchestration

StudentsFaculty &

Staff

SOA Applications

Affiliates

External

Delegated Admin

SOA Applications

Alumni/

Customers

Internal

Identity Management Service

Access Management• Authentication & SSO• Authorization & RBAC• Identity Federation

Directory Services• LDAP Directory• Meta-Directory• Virtual Directory

Identity Provisioning• Who, What, When, Where, Why• Rules & access policies• Integration framework

Identity Administration•Delegated Administration•Self-Registration & Self-Service•User & Group Management

Monitoringand

Management

StudentFac/Staff

IAM Solutions Address Top Issues faced by Higher Education Institutions

IAM can improve security, reduce costs, and protect privacy Security breaches / business disruptions Operating costs / budgets Data protection / privacy

Large and growing number of Institutions have experienced IT Security “Breaches” in last 12 months. Unauthorized access to sensitive institutional data Research database hacked Breaches of Student & Facility SSN’s

6

What we typically see at Higher Education Institutions Manual Processing

Workflow Provisioning

Home Grown Solutions Good at provisioning Inefficient or non-existent de-provisioning and transfers Inability to scale to meet growing demands Inconsistent/ineffective auditing and reporting

Lack of Security Policies and Enforcement In many cases, still reliant on Open Source solutions

OpenLDAP, CAS, Pubcookie

7

Identity Requirements in Higher Education Are Complex Many roles with different access requirements Users often have multiple roles Frequently changing roles for most constituents Multi-campus environment Legacy of multiple, fragmented identity stores Integration with Higher Education specific

applications; SunGard Banner, BlackBoard, R25, Library and Parking Systems.

8

9

Banner Identity Management Reference Architecture

Case Study: Lehigh University

Current EnvironmentHomegrown systemDeveloped and supported by staff

w/20+ yearsAdapted & patched over many years

New constituent groups Networking and server changes Compliance requirements New applications and systems

Case Study: Lehigh University

Project Background Enterprise Level Solution Identified Implementation Team Formed Phase I: Discovery, Documentation, Design Phase II: Development, Testing, Deployment

Business Drivers Compliance ( auditors, FERPA, GBL, HIPAA) Complexity (new roles, more granularity)

Case Study: Lehigh University

Case Study: Lehigh University

Technical Drivers Sustainability – standardized, documented solution Scalability

Easier to extend the solution to other key applications and infrastructure

Incrementally add functionality such as workflow, approval processes, and attestation

Federation

Security - foundation for enterprise application security framework

Additional and more secure authentication methods Rich auditing and reporting capability

OID

Project ConsiderationImplementing IdM with Banner Formation of IdM Steering Committee Focus on business process and policy Dedicated resources from the University

Project Manager Technical Resources

14

15

Use Case: Auto On-Board Faculty

Note that data entry into Banner causes appropriate role to be created on the GORIROL table.

Architecture: Lehigh IdM

16

OIM Main Banner View Recon

Missing from view

Dead? OIM Updates

Yes

Check Inactive Views based on role from OIM

No

IA Faculty

IA Staff IA Student

Role(s) Changed

Removed? Added?

Yes

Check Active Views based on roles added

A Student A Staff A Faculty

A Alumni

Nightly batch attribute changes. No Role

changes

Technical ConsiderationsImplementing IdM with Banner Customs Views vs. Sungard Banner IDM Offering

Real-time vs. batch oriented reconciliation. Requires Oracle Access Manager which Lehigh is not

prepared to implement at this time. Requires Banner 8, which some of our applications are

not certified for at this time (EM). Sungard IDM offerings could be a future upgrade.

Substantial number of constituents that need to be defined and maintained inside of Banner. This is done using GORRSQL and GORIROL and is the main driver of IDM.

Questions & Answers

18