SlideShare a Scribd company logo

Unc cause 2010 Identity and Access Mgmt Panel

Download as PPTX, PDF
Mark Scheible
Mark Scheible
EducationTechnology
1 of 55
Identity and Access Management Updates on IAM in the System Mark Scheible, NC State University Lynn Franz, Western Carolina University Jan Tax, UNC-Chapel Hill Steven Hopper, UNC-GA
Introductions Mark Scheible Manager, Identity and Access Management NC State University Lynn Franz Application Development & Data Management Western Carolina University Jan Tax Identity and Access Management UNC Chapel Hill Steven Hopper Director of Online Services & CTO for UNC Online UNC General Administration
Identity and Access Management “Identity Management has evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” – (EDUCAUSE IAM Working Group)
Identity and Access Management • Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person • Credentialing - the issuing of a “username and password” for authentication purposes • Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”) • Authentication Services – used to authenticate someone (the login process) • Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group Major areas of interest
Internet2 Middleware Diagram
Panel Discussion • Identity Population Utilization (Lynn Franz) • Group Management (Jan Tax) • Federated Identity Management (Steven Hopper) Each of our panelists will touch on a different aspect of IAM …
Identity and Access Management at Western Carolina University
Where we started… First decision: Banner is the data source of record. It drives access to IT resources and services.
One of the first tasks was to look at the various populations… A solid understanding of organizational roles is key for creating and maintaining identity and access management.
At the highest level, our data consisted of three populations.
Each population consisted of further sub-categories. STUDENT Intending Student? Cullowhee Commuter? Currently Enrolled? Continuing? Former Student? Future Student?
This foundation is the core of our Identity Management processing. Group Group Members Further Sub-Group Memberships We defined and created a scalable mechanism for identifying, creating, and managing those groups.
Role Security Groups and Distribution Lists Reports Database Database Interfaces between data sources, on or off campus Luminis Roles Each group, or Role, is defined in one location. The Role may be consumed in many places.
If the Role definition changes, it’s changed in ONE place. Consumption of the Role is not interrupted. Role definitions are consistent across consumers. Security Groups and Distribution Lists Reports Database Database Role Luminis RolesInterfaces between data sources, on or off campus
Roles can be defined, re-defined, and sub-grouped. Meanwhile, the organization keeps rolling along… Staff or (Full/Part-Time) Faculty Graduate Assistant (Teaching and Lab) Graduate Assistant (Non- Teaching, Non- Lab) Student Worker Hourly or Temporary Worker Cullowhee Commuter Guest or Consultant
We had to make another key decision… Banner allows for one external username association with one individual. One individual may exist in multiple roles! Should these have the same external username? Sally Sue Student accounts (email hosted off campus) and Non-Student accounts (email hosted on site) would have unique external usernames. Both are provisioned in Active Directory. A Banner mod was necessary for this association.
This simple SQL statement returns the Active Student member information. ( Banner PIDM, Role, Active Directory External Username ) The Blackboard integration components can be easily associated using a single point of reference for group membership…
How do all these roles fit with the larger picture? Identity Management Banner Other Systems With the foundation in place…
Active Directory Outlook Properties Sync Online Directory uses a Banner database view. People review their information and send corrections to HR using an Online Correction Form. Banner data feeds to Active Directory and Outlook Properties are updated.
Oracle packages using DBMS_LDAP functionality are used for the updates behind the scenes...
Outlook Properties provide the campus with reliable contact data, which can be consumed by other applications (such as the help desk ticketing system, Paw-Print, and Shibboleth). Supervisor Name
Method for managing roles that are not data driven from Banner. Automation and management of these roles requires additional data to be stored in Oracle tables. The tables also provide audit information and access control. Roles are managed by individual “owners”, who can assign “managers”. The owners and managers add/remove members, as defined by privilege assignments. Manually Managed Roles Committees Organizations Digital Millennium Copyright Act Offenders Registered Exchange Active Sync User
Automated AD Security Groups Automated Distribution Groups (in progress) With automated and manual roles in place…
Additional building blocks and project components on the way…
HR Intake/Outtake Interface As individuals enter and exit HR positions, automated processes will provide accurate and timely account information (for create, terminate, and modify actions). •No Affiliation with University •Not a Student, Guest, or Employee Not Affiliated •University Identity/Email •Access to University Information Resources Affiliated •No longer Affiliated with University •No Access to University Information Systems Not Affiliated Position Change (Personnel Action) Health Services Gym Usage Parking PermitsLibrary Cat Card Personnel action events will be consumed by other organization entities.
Establishment of a practice for managing non-person accounts. These accounts must receive approval and have a WCU sponsor. Examples of these accounts are email accounts for various groups such as Athletics (baseball@wcu.edu) and departments (admission@wcu.edu). Non-Person Account Management
Campus Security Request Process Provide users on campus one method/location for requesting additional security and authorization to university systems and resources. Provost Office Finance Facilities
Along the way there have been some internal automations that have streamlined IT processes. This WayManagementIdentity o Managing INB Users o Managing Banner Security o Banner Self-Service Password Changer (AD authentication for INB accounts) o Help Desk unlock of Banner Accounts o Reports
help us move toward our future goal of Role Based Access. Identity role definitions, automated processes, and better internal and external procedures …
Taking a moment for lessons learned…
Challenges…. Culture change is necessary… and sometimes very difficult to achieve. Ownership and governance must belong to the stakeholders. (Not an IT problem!) It is time consuming to review and define the various organizational business entities. There are some tough issues to tackle (for example, account management of non- person accounts). Processes have to be set up for managing identities. Boundaries, for how groups can and can’t be used, need to be defined and enforced.
Removing bad data and standardizing data definitions provides better access for data consumption. As data consumption increases, it is easier to identify and resolve problems. Paves the way to help identify business processes that need to be reviewed and refined. Readily highlights auditing concerns. Systems that are not automated immediately can still utilize role information by seeing a person’s role information and adjusting local security to fit the roles. Provides framework for retiring old systems and implementing new systems. Rewards….
Proactive: • looking at campus-wide scope for 1 – 10 years down the road • reviewing institutional business level processes Process: • creating well-defined procedures • implementing data driven events Prevention: • decreasing resource issues through greater efficiencies • removing frustrations due to old, outdated business processes • warding off security threats and problems with solid role-based identity Following the 3 P’s to success….
… climbing on…
Identity and Access Management Group Management Jan Tax UNC Chapel Hill
Background o UNC-CH has a heterogenous IAM environment o Centrally managed directories and authentication: • OpenLDAP, Kerberos, Shibboleth SSO • Active Directory • Oracle OID and OSSO o Distributed/school/departmental directories and authentication systems o Lots of changes going on • new ERP • Email shift from in-house IMAP to Exchange and Live@Edu o Want to have consistency across environments (and to reduce the number of environments over time!)
Central IdM system Person data is managed by a homegrown system that aggregates data from multiple sources o Inbound connectors  Bio/demo data – PeopleSoft is single source  Affiliation data – multiple sources (for now) • Pre-Student/Student – 20+ categories • Faculty/Staff – 5 subcategories • Affiliates – 10 subcategories o Outbound connectors • OpenLDAP – white pages, applications • Active Directory – Exchange, applications • Oracle Internet Directory – Calendar, AppServer
Authorization Access decisions can be based on a person’s attributes …  Classification (faculty/staff/student)  Department  Entitlements … or on memberships in groups  Automatic (members defined by a filter or expression)  Manual (members managed by a person)  Composite Groups are a very versatile mechanism
Groups Management o Want to manage groups centrally, not have locally managed groups in each environment  Reduces security risk (timely removal)  Increases productivity (timely access) o Ideally, a single point of management for the enterprise o Allow delegation for managing groups as much as possible o Provide consistent replication of groups data across different directories/environments/applications
Grouper o Internet2 Middleware project – a toolkit for managing groups (http://grouper.internet2.edu) o Integrates with an existing Identity Management system o Handles the set logic used to combine groups o Flexible configuration for sources – JDBC, JNDI o Create/maintain groups with SQL queries o LDAP connector to provision directories o Access to group data with Web Services, .NET, PHP o Command line interface to Java API & tools o Lite UI delivered with product can be reskinned
Grouper @ UNC-CH Grouper is used to provision groups to the two main directory systems:  ldap.unc.edu: • ou=groups,dc=unc,dc=edu  ad.unc.edu: • ou=groups,ou=identity,dc=ad,dc=unc,dc=edu o MDG_ distribution groups o MSG_ security groups Existing uses of LDAP groups managed by Grouper  Carolina Content Management • Roles and content-specific rights  Web Services Manager • Web services mapped to group of authorized clients  Misc. Application Access Control • Determines what app. capabilities they have  LDAP Access Control • Membership makes categories of directory data visible
Case Study: Migrate ITS AppServer from Oracle to GlassFish o Oracle AppServer had its own IAM environment  Oracle SSO (OSSO) and Internet Directory (OID)  Used OID groups for access control o Move to GlassFish AppServer  Supports groups for access control via LDAP realm concept, but requires LDAP authentication  Desire to use Shibboleth SSO for authentication o Process  Move OID groups into Grouper and sync to LDAP  Configure Shibboleth to pass specific group memberships to application o Results  GlassFish uses campus standards for access management  Oracle SSO and OID are decommissioned
Identity and Access Management UNC Identity Federation Update Steven Hopper UNC-GA
UNC Identity Federation Background o August 2008  Production federation (Shibboleth)  17 UNC institutions (Identity Providers)  Inter-institutional Registration (Service Provider)  WAYF  Development federation for testing, etc.
Existing Services o Foundation for all system-wide application development. o Examples include:  GA Services (inter-institutional registration, exam proctoring, www.northcarolina.edu, ActiveCollab)  RAMSeS (sponsored programs and research management tool from UNC-CH.  SciQuest (eProcurement)  VCL (Virtual Computing Lab at NCSU)  MCNC/NCREN (Videoconference scheduling, network status tools, etc)
Vendor Integration o Encouraging vendors to Shibboleth-enable applications o InCommon - vendors are hesitant to join  Cost (upfront and recurring)  Arduous joining process (legal)  Want to pass joining costs back to UNC  Often not feasible given tight implementation timelines
Solution: Affiliates Federation o Create a 3rd “Affiliates Federation”  Production  Development  Affiliates o Create a streamlined (and free) process for vendors to join o Allows campus Identity Providers to have a separate “handle” when making attribute release decision.
Affiliations Federation Membership o Current Members  PeopleAdmin: HR Applicant Tracking  SciQuest: eProcurement o Prospective Members  ZimRide: Car Pooling  Qualtrics: Survey & Feedback Software
Identity and Access Management Questions?
Contact Information: Mark Scheible mascheib@ncsu.edu Lynn Franz lfranz@email.wcu.edu Jan Tax tax@unc.edu Steven Hopper hoppers@northcarolina.edu Thank you! Lightening Round?
Identity and Access Management (Extra Slides if Needed)
LDAP Updates people data in: ou=People LDAP ties together Person and Groups data Directory Master (Idm) write ou=people ou=groups Reads people data so they can be added to groups Grouper (Idm) Updates group data in: ou=Groups read write
LDAP Updates people data in: ou=People Populating LDAP with Person Data Peoplesoft HRIS AffiliateWeb EpaWeb Directory Master (Idm) ou=people ou=groups Directory Master aggregates person data updates from various sources and synchronizes this data to the directory DB
LDAP Reads people data so they can be added to groups Populating LDAP with Groups Data Grouper (Idm) ou=people ou=groups Updates group data in: ou=Groups Grouper stores group information natively in a relational database, but also writes groups data to the directory… DB Admin/user Admin/user Admin/user Delegated Grouper users
Shib IdP (IdM) IdP queries LDAP for membership information Browser/ App IdP synthesizes attrib isMemberOf from group membership and app config (eg. limits to relevant groups) LDAP Person Attributes Delivered with Shib IdP LDAP ou=people ou=groups IdP queries LDAP for person attributes Idp asserts combined person attributes, including isMemberOf IdP uses person attributes directly, but releases only those configured for each application

Recommended

INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
IJNSA Journal
 
ECNO 2016-Using ECM to gain administrative efficiency for school boards
ECNO 2016-Using ECM to gain administrative efficiency for school boardsECNO 2016-Using ECM to gain administrative efficiency for school boards
ECNO 2016-Using ECM to gain administrative efficiency for school boards
Christopher Wynder
 
Do More with Less: Semantic Technologies
Do More with Less: Semantic TechnologiesDo More with Less: Semantic Technologies
Do More with Less: Semantic Technologies
Colin Bell
 
Specialisation hr
Specialisation hrSpecialisation hr
Specialisation hr
akshay khapare
 
Ecom
EcomEcom
Ecom
shilpa2757
 
Strategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementStrategic Sourcing & E Procurement
Strategic Sourcing & E Procurement
Anand Subramaniam
 
E Procurement
E ProcurementE Procurement
E Procurement
ahmad bassiouny
 
Management information system Unit 1
Management information system Unit 1Management information system Unit 1
Management information system Unit 1
Sharda University Greater Noida
 

Recommended

INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
IJNSA Journal
 
ECNO 2016-Using ECM to gain administrative efficiency for school boards
ECNO 2016-Using ECM to gain administrative efficiency for school boardsECNO 2016-Using ECM to gain administrative efficiency for school boards
ECNO 2016-Using ECM to gain administrative efficiency for school boards
Christopher Wynder
 
Do More with Less: Semantic Technologies
Do More with Less: Semantic TechnologiesDo More with Less: Semantic Technologies
Do More with Less: Semantic Technologies
Colin Bell
 
Specialisation hr
Specialisation hrSpecialisation hr
Specialisation hr
akshay khapare
 
Ecom
EcomEcom
Ecom
shilpa2757
 
Strategic Sourcing & E Procurement
Strategic Sourcing & E ProcurementStrategic Sourcing & E Procurement
Strategic Sourcing & E Procurement
Anand Subramaniam
 
E Procurement
E ProcurementE Procurement
E Procurement
ahmad bassiouny
 
Management information system Unit 1
Management information system Unit 1Management information system Unit 1
Management information system Unit 1
Sharda University Greater Noida
 
Role of Computers in HRM _ Abhilasha_Karan_Lavanya_Sanchit
Role of Computers in HRM _ Abhilasha_Karan_Lavanya_SanchitRole of Computers in HRM _ Abhilasha_Karan_Lavanya_Sanchit
Role of Computers in HRM _ Abhilasha_Karan_Lavanya_Sanchit
Lavanya Gautam
 
SINGERS Angela My Future Role
SINGERS Angela My Future RoleSINGERS Angela My Future Role
SINGERS Angela My Future Role
Angela Singers
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium
 
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.pptEDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
PreethamS41
 
1-Management Information Systems documentation.pdf
1-Management Information Systems documentation.pdf1-Management Information Systems documentation.pdf
1-Management Information Systems documentation.pdf
SayaBigstone
 
E-HRM and HRIS
E-HRM and HRISE-HRM and HRIS
E-HRM and HRIS
shiluswami46
 
I Can't Find My Data & Documents
I Can't Find My Data & DocumentsI Can't Find My Data & Documents
I Can't Find My Data & Documents
Toni O'Connor
 
SharePoint Fest Chicago Presentation
SharePoint Fest Chicago PresentationSharePoint Fest Chicago Presentation
SharePoint Fest Chicago Presentation
Concept Searching, Inc
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
Gord Reynolds
 
Welcome To BUA 235-Intro
Welcome To BUA 235-IntroWelcome To BUA 235-Intro
Welcome To BUA 235-Intro
UMaine
 
MANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITY
MANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITYMANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITY
MANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITY
Freelance
 
Epsstempo astd
Epsstempo astdEpsstempo astd
Epsstempo astd
DynamicsTutor
 
The Role of Community-Driven Data Curation for Enterprises
The Role of Community-Driven Data Curation for EnterprisesThe Role of Community-Driven Data Curation for Enterprises
The Role of Community-Driven Data Curation for Enterprises
Edward Curry
 
Cff data governance best practices
Cff data governance best practicesCff data governance best practices
Cff data governance best practices
Beth Fitzpatrick
 
Research information management: making sense of it all
Research information management: making sense of it allResearch information management: making sense of it all
Research information management: making sense of it all
Digital Science
 
Expertise and Resource Portals for University-Industry Engagement - Jeff Horon
Expertise and Resource Portals for University-Industry Engagement - Jeff HoronExpertise and Resource Portals for University-Industry Engagement - Jeff Horon
Expertise and Resource Portals for University-Industry Engagement - Jeff Horon
University Economic Development Association
 
Rise of the Data Democracy
Rise of the Data DemocracyRise of the Data Democracy
Rise of the Data Democracy
Brendan Aldrich
 
Saipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_Vitae
Saipraveen Gottuparthy
 
industrial manpower resource manager
industrial manpower resource managerindustrial manpower resource manager
industrial manpower resource manager
Freelancer
 
Building a Digital Workplace for a University
Building a Digital Workplace for a UniversityBuilding a Digital Workplace for a University
Building a Digital Workplace for a University
charper-intranets
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
EduSkills OECD
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
dawncurless
 

More Related Content

Similar to Unc cause 2010 Identity and Access Mgmt Panel

SINGERS Angela My Future Role
SINGERS Angela My Future RoleSINGERS Angela My Future Role
SINGERS Angela My Future Role
Angela Singers
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium
 
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.pptEDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
PreethamS41
 
Welcome To BUA 235-Intro
Welcome To BUA 235-IntroWelcome To BUA 235-Intro
Welcome To BUA 235-Intro
UMaine
 
The Role of Community-Driven Data Curation for Enterprises
The Role of Community-Driven Data Curation for EnterprisesThe Role of Community-Driven Data Curation for Enterprises
The Role of Community-Driven Data Curation for Enterprises
Edward Curry
 

Similar to Unc cause 2010 Identity and Access Mgmt Panel (20)

Role of Computers in HRM _ Abhilasha_Karan_Lavanya_Sanchit
Role of Computers in HRM _ Abhilasha_Karan_Lavanya_SanchitRole of Computers in HRM _ Abhilasha_Karan_Lavanya_Sanchit
Role of Computers in HRM _ Abhilasha_Karan_Lavanya_Sanchit
 
SINGERS Angela My Future Role
SINGERS Angela My Future RoleSINGERS Angela My Future Role
SINGERS Angela My Future Role
 
Campus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson UniversityCampus Consortium EdTalks Featuring Clemson University
Campus Consortium EdTalks Featuring Clemson University
 
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.pptEDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
EDUCAUSE_SEC10_Apr2010_Fed_Seminar_Final.ppt
 
1-Management Information Systems documentation.pdf
1-Management Information Systems documentation.pdf1-Management Information Systems documentation.pdf
1-Management Information Systems documentation.pdf
 
E-HRM and HRIS
E-HRM and HRISE-HRM and HRIS
E-HRM and HRIS
 
I Can't Find My Data & Documents
I Can't Find My Data & DocumentsI Can't Find My Data & Documents
I Can't Find My Data & Documents
 
SharePoint Fest Chicago Presentation
SharePoint Fest Chicago PresentationSharePoint Fest Chicago Presentation
SharePoint Fest Chicago Presentation
 
Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)Capgemini ses - security po v (gr)
Capgemini ses - security po v (gr)
 
Welcome To BUA 235-Intro
Welcome To BUA 235-IntroWelcome To BUA 235-Intro
Welcome To BUA 235-Intro
 
MANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITY
MANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITYMANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITY
MANAGING RESOURCES FOR BUSINESS ANALYTICS BA4206 ANNA UNIVERSITY
 
Epsstempo astd
Epsstempo astdEpsstempo astd
Epsstempo astd
 
The Role of Community-Driven Data Curation for Enterprises
The Role of Community-Driven Data Curation for EnterprisesThe Role of Community-Driven Data Curation for Enterprises
The Role of Community-Driven Data Curation for Enterprises
 
Cff data governance best practices
Cff data governance best practicesCff data governance best practices
Cff data governance best practices
 
Research information management: making sense of it all
Research information management: making sense of it allResearch information management: making sense of it all
Research information management: making sense of it all
 
Expertise and Resource Portals for University-Industry Engagement - Jeff Horon
Expertise and Resource Portals for University-Industry Engagement - Jeff HoronExpertise and Resource Portals for University-Industry Engagement - Jeff Horon
Expertise and Resource Portals for University-Industry Engagement - Jeff Horon
 
Rise of the Data Democracy
Rise of the Data DemocracyRise of the Data Democracy
Rise of the Data Democracy
 
Saipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_VitaeSaipraveen_Cirrculum_Vitae
Saipraveen_Cirrculum_Vitae
 
industrial manpower resource manager
industrial manpower resource managerindustrial manpower resource manager
industrial manpower resource manager
 
Building a Digital Workplace for a University
Building a Digital Workplace for a UniversityBuilding a Digital Workplace for a University
Building a Digital Workplace for a University
 

Recently uploaded

Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 

Unc cause 2010 Identity and Access Mgmt Panel

  • 1. Identity and Access Management Updates on IAM in the System Mark Scheible, NC State University Lynn Franz, Western Carolina University Jan Tax, UNC-Chapel Hill Steven Hopper, UNC-GA
  • 2. Introductions Mark Scheible Manager, Identity and Access Management NC State University Lynn Franz Application Development & Data Management Western Carolina University Jan Tax Identity and Access Management UNC Chapel Hill Steven Hopper Director of Online Services & CTO for UNC Online UNC General Administration
  • 3. Identity and Access Management “Identity Management has evolved to include policies, procedures and the broad spectrum of technologies required to establish institutional identity management (IdM) systems” – (EDUCAUSE IAM Working Group)
  • 4. Identity and Access Management • Identity Vetting & Proofing - making sure the information provided about an individual (e.g. name, DOB, address, phone number, degree(s) earned, etc.) is accurate and verified, and insuring a credential is issued to the appropriate person • Credentialing - the issuing of a “username and password” for authentication purposes • Directories – database(s) containing information associated with individuals and resources (in this context, identity data or “attributes”) • Authentication Services – used to authenticate someone (the login process) • Authorization Services – used to determine what access an individual has to applications, resources, etc., based on who they are, or their membership in a group Major areas of interest
  • 6. Panel Discussion • Identity Population Utilization (Lynn Franz) • Group Management (Jan Tax) • Federated Identity Management (Steven Hopper) Each of our panelists will touch on a different aspect of IAM …
  • 7. Identity and Access Management at Western Carolina University
  • 8. Where we started… First decision: Banner is the data source of record. It drives access to IT resources and services.
  • 9. One of the first tasks was to look at the various populations… A solid understanding of organizational roles is key for creating and maintaining identity and access management.
  • 10. At the highest level, our data consisted of three populations.
  • 11. Each population consisted of further sub-categories. STUDENT Intending Student? Cullowhee Commuter? Currently Enrolled? Continuing? Former Student? Future Student?
  • 12. This foundation is the core of our Identity Management processing. Group Group Members Further Sub-Group Memberships We defined and created a scalable mechanism for identifying, creating, and managing those groups.
  • 13. Role Security Groups and Distribution Lists Reports Database Database Interfaces between data sources, on or off campus Luminis Roles Each group, or Role, is defined in one location. The Role may be consumed in many places.
  • 14. If the Role definition changes, it’s changed in ONE place. Consumption of the Role is not interrupted. Role definitions are consistent across consumers. Security Groups and Distribution Lists Reports Database Database Role Luminis RolesInterfaces between data sources, on or off campus
  • 15. Roles can be defined, re-defined, and sub-grouped. Meanwhile, the organization keeps rolling along… Staff or (Full/Part-Time) Faculty Graduate Assistant (Teaching and Lab) Graduate Assistant (Non- Teaching, Non- Lab) Student Worker Hourly or Temporary Worker Cullowhee Commuter Guest or Consultant
  • 16. We had to make another key decision… Banner allows for one external username association with one individual. One individual may exist in multiple roles! Should these have the same external username? Sally Sue Student accounts (email hosted off campus) and Non-Student accounts (email hosted on site) would have unique external usernames. Both are provisioned in Active Directory. A Banner mod was necessary for this association.
  • 17. This simple SQL statement returns the Active Student member information. ( Banner PIDM, Role, Active Directory External Username ) The Blackboard integration components can be easily associated using a single point of reference for group membership…
  • 18. How do all these roles fit with the larger picture? Identity Management Banner Other Systems With the foundation in place…
  • 19. Active Directory Outlook Properties Sync Online Directory uses a Banner database view. People review their information and send corrections to HR using an Online Correction Form. Banner data feeds to Active Directory and Outlook Properties are updated.
  • 20. Oracle packages using DBMS_LDAP functionality are used for the updates behind the scenes...
  • 21. Outlook Properties provide the campus with reliable contact data, which can be consumed by other applications (such as the help desk ticketing system, Paw-Print, and Shibboleth). Supervisor Name
  • 22. Method for managing roles that are not data driven from Banner. Automation and management of these roles requires additional data to be stored in Oracle tables. The tables also provide audit information and access control. Roles are managed by individual “owners”, who can assign “managers”. The owners and managers add/remove members, as defined by privilege assignments. Manually Managed Roles Committees Organizations Digital Millennium Copyright Act Offenders Registered Exchange Active Sync User
  • 23. Automated AD Security Groups Automated Distribution Groups (in progress) With automated and manual roles in place…
  • 24. Additional building blocks and project components on the way…
  • 25. HR Intake/Outtake Interface As individuals enter and exit HR positions, automated processes will provide accurate and timely account information (for create, terminate, and modify actions). •No Affiliation with University •Not a Student, Guest, or Employee Not Affiliated •University Identity/Email •Access to University Information Resources Affiliated •No longer Affiliated with University •No Access to University Information Systems Not Affiliated Position Change (Personnel Action) Health Services Gym Usage Parking PermitsLibrary Cat Card Personnel action events will be consumed by other organization entities.
  • 26. Establishment of a practice for managing non-person accounts. These accounts must receive approval and have a WCU sponsor. Examples of these accounts are email accounts for various groups such as Athletics (baseball@wcu.edu) and departments (admission@wcu.edu). Non-Person Account Management
  • 27. Campus Security Request Process Provide users on campus one method/location for requesting additional security and authorization to university systems and resources. Provost Office Finance Facilities
  • 28. Along the way there have been some internal automations that have streamlined IT processes. This WayManagementIdentity o Managing INB Users o Managing Banner Security o Banner Self-Service Password Changer (AD authentication for INB accounts) o Help Desk unlock of Banner Accounts o Reports
  • 29. help us move toward our future goal of Role Based Access. Identity role definitions, automated processes, and better internal and external procedures …
  • 30. Taking a moment for lessons learned…
  • 31. Challenges…. Culture change is necessary… and sometimes very difficult to achieve. Ownership and governance must belong to the stakeholders. (Not an IT problem!) It is time consuming to review and define the various organizational business entities. There are some tough issues to tackle (for example, account management of non- person accounts). Processes have to be set up for managing identities. Boundaries, for how groups can and can’t be used, need to be defined and enforced.
  • 32. Removing bad data and standardizing data definitions provides better access for data consumption. As data consumption increases, it is easier to identify and resolve problems. Paves the way to help identify business processes that need to be reviewed and refined. Readily highlights auditing concerns. Systems that are not automated immediately can still utilize role information by seeing a person’s role information and adjusting local security to fit the roles. Provides framework for retiring old systems and implementing new systems. Rewards….
  • 33. Proactive: • looking at campus-wide scope for 1 – 10 years down the road • reviewing institutional business level processes Process: • creating well-defined procedures • implementing data driven events Prevention: • decreasing resource issues through greater efficiencies • removing frustrations due to old, outdated business processes • warding off security threats and problems with solid role-based identity Following the 3 P’s to success….
  • 35. Identity and Access Management Group Management Jan Tax UNC Chapel Hill
  • 36. Background o UNC-CH has a heterogenous IAM environment o Centrally managed directories and authentication: • OpenLDAP, Kerberos, Shibboleth SSO • Active Directory • Oracle OID and OSSO o Distributed/school/departmental directories and authentication systems o Lots of changes going on • new ERP • Email shift from in-house IMAP to Exchange and Live@Edu o Want to have consistency across environments (and to reduce the number of environments over time!)
  • 37. Central IdM system Person data is managed by a homegrown system that aggregates data from multiple sources o Inbound connectors  Bio/demo data – PeopleSoft is single source  Affiliation data – multiple sources (for now) • Pre-Student/Student – 20+ categories • Faculty/Staff – 5 subcategories • Affiliates – 10 subcategories o Outbound connectors • OpenLDAP – white pages, applications • Active Directory – Exchange, applications • Oracle Internet Directory – Calendar, AppServer
  • 38. Authorization Access decisions can be based on a person’s attributes …  Classification (faculty/staff/student)  Department  Entitlements … or on memberships in groups  Automatic (members defined by a filter or expression)  Manual (members managed by a person)  Composite Groups are a very versatile mechanism
  • 39. Groups Management o Want to manage groups centrally, not have locally managed groups in each environment  Reduces security risk (timely removal)  Increases productivity (timely access) o Ideally, a single point of management for the enterprise o Allow delegation for managing groups as much as possible o Provide consistent replication of groups data across different directories/environments/applications
  • 40. Grouper o Internet2 Middleware project – a toolkit for managing groups (http://grouper.internet2.edu) o Integrates with an existing Identity Management system o Handles the set logic used to combine groups o Flexible configuration for sources – JDBC, JNDI o Create/maintain groups with SQL queries o LDAP connector to provision directories o Access to group data with Web Services, .NET, PHP o Command line interface to Java API & tools o Lite UI delivered with product can be reskinned
  • 41. Grouper @ UNC-CH Grouper is used to provision groups to the two main directory systems:  ldap.unc.edu: • ou=groups,dc=unc,dc=edu  ad.unc.edu: • ou=groups,ou=identity,dc=ad,dc=unc,dc=edu o MDG_ distribution groups o MSG_ security groups Existing uses of LDAP groups managed by Grouper  Carolina Content Management • Roles and content-specific rights  Web Services Manager • Web services mapped to group of authorized clients  Misc. Application Access Control • Determines what app. capabilities they have  LDAP Access Control • Membership makes categories of directory data visible
  • 42. Case Study: Migrate ITS AppServer from Oracle to GlassFish o Oracle AppServer had its own IAM environment  Oracle SSO (OSSO) and Internet Directory (OID)  Used OID groups for access control o Move to GlassFish AppServer  Supports groups for access control via LDAP realm concept, but requires LDAP authentication  Desire to use Shibboleth SSO for authentication o Process  Move OID groups into Grouper and sync to LDAP  Configure Shibboleth to pass specific group memberships to application o Results  GlassFish uses campus standards for access management  Oracle SSO and OID are decommissioned
  • 43. Identity and Access Management UNC Identity Federation Update Steven Hopper UNC-GA
  • 44. UNC Identity Federation Background o August 2008  Production federation (Shibboleth)  17 UNC institutions (Identity Providers)  Inter-institutional Registration (Service Provider)  WAYF  Development federation for testing, etc.
  • 45. Existing Services o Foundation for all system-wide application development. o Examples include:  GA Services (inter-institutional registration, exam proctoring, www.northcarolina.edu, ActiveCollab)  RAMSeS (sponsored programs and research management tool from UNC-CH.  SciQuest (eProcurement)  VCL (Virtual Computing Lab at NCSU)  MCNC/NCREN (Videoconference scheduling, network status tools, etc)
  • 46. Vendor Integration o Encouraging vendors to Shibboleth-enable applications o InCommon - vendors are hesitant to join  Cost (upfront and recurring)  Arduous joining process (legal)  Want to pass joining costs back to UNC  Often not feasible given tight implementation timelines
  • 47. Solution: Affiliates Federation o Create a 3rd “Affiliates Federation”  Production  Development  Affiliates o Create a streamlined (and free) process for vendors to join o Allows campus Identity Providers to have a separate “handle” when making attribute release decision.
  • 48. Affiliations Federation Membership o Current Members  PeopleAdmin: HR Applicant Tracking  SciQuest: eProcurement o Prospective Members  ZimRide: Car Pooling  Qualtrics: Survey & Feedback Software
  • 50. Contact Information: Mark Scheible mascheib@ncsu.edu Lynn Franz lfranz@email.wcu.edu Jan Tax tax@unc.edu Steven Hopper hoppers@northcarolina.edu Thank you! Lightening Round?
  • 52. LDAP Updates people data in: ou=People LDAP ties together Person and Groups data Directory Master (Idm) write ou=people ou=groups Reads people data so they can be added to groups Grouper (Idm) Updates group data in: ou=Groups read write
  • 53. LDAP Updates people data in: ou=People Populating LDAP with Person Data Peoplesoft HRIS AffiliateWeb EpaWeb Directory Master (Idm) ou=people ou=groups Directory Master aggregates person data updates from various sources and synchronizes this data to the directory DB
  • 54. LDAP Reads people data so they can be added to groups Populating LDAP with Groups Data Grouper (Idm) ou=people ou=groups Updates group data in: ou=Groups Grouper stores group information natively in a relational database, but also writes groups data to the directory… DB Admin/user Admin/user Admin/user Delegated Grouper users
  • 55. Shib IdP (IdM) IdP queries LDAP for membership information Browser/ App IdP synthesizes attrib isMemberOf from group membership and app config (eg. limits to relevant groups) LDAP Person Attributes Delivered with Shib IdP LDAP ou=people ou=groups IdP queries LDAP for person attributes Idp asserts combined person attributes, including isMemberOf IdP uses person attributes directly, but releases only those configured for each application