Extending Access Management to Business & Community Engagement John Paschoud,  Local Knowledge < John@Paschoud.org> workin...
What <ul><li>Universities and colleges in the UK have a wide variety of Business and Community Engagement activities going...
Precursors <ul><li>The JISC Identity Management Toolkit </li></ul><ul><li>Cardiff Roles and Entitlements analysis (“101 re...
Objective <ul><li>The EAM2BCE Guide will help senior university and college managers to identify, understand and resolve t...
How <ul><li>Extended case-study of widening participation scheme at LSE  </li></ul><ul><li>Extended case-study of workplac...
What we found – Activities <ul><li>Short courses – including widening participation schemes such as LSE Choice </li></ul><...
What we found – Issues <ul><li>Policies, procedures, processes & systems have often not been designed for these relationsh...
What we found – Workarounds <ul><li>'Pseudo-students‘ </li></ul><ul><li>'Honorary staff posts' </li></ul><ul><li>Ad-hoc Id...
The Workshop Manual (1) <ul><li>Discovering, classifying & documenting BCE activities </li></ul><ul><ul><li>Using the IdM ...
The Workshop Manual (2) <ul><li>Establishing (or not) the business case and true costs of a BCE activity </li></ul><ul><li...
The Workshop Manual (3) <ul><li>Use of personal data </li></ul><ul><ul><li>ICO </li></ul></ul><ul><ul><li>JISC Legal </li>...
Do You have BCE issues? <ul><li>What is the situation or activity that involves this group with your organisation?  </li><...
Do You have BCE issues? <ul><li>Who is responsible  for registering individuals as members of this group?  </li></ul><ul><...
Do You have BCE issues? <ul><li>Do participants have (or need)  use of your organisation’s IT network ?  How is this provi...
Do You have BCE issues? <ul><li>What non-public online resources  does the group need to access? (even if this access is n...
UK Access Management Federation for Education and Research Rules of Membership <ul><li>6.1. Where End User Organisations h...
Questions begged <ul><li>What agreements are needed (between 2+ IdPs involved in a shared BCE activity) for  true  federat...
What would be nice <ul><li>(but we haven’t seen it happening yet) </li></ul><ul><li>The ‘host’ organisation for a BCE acti...
Extending Access Management to Business & Community Engagement John Paschoud,  Local Knowledge <John@Paschoud.org> working...
Upcoming SlideShare
Loading in …5
×

Extending Access Management to Business & Community Engagement - John Paschoud

383 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
383
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Extending Access Management to Business & Community Engagement - John Paschoud

  1. 1. Extending Access Management to Business & Community Engagement John Paschoud, Local Knowledge < John@Paschoud.org> working with Eduserv FAM11 London 09-Nov-2011
  2. 2. What <ul><li>Universities and colleges in the UK have a wide variety of Business and Community Engagement activities going on  - for good business reasons... </li></ul><ul><li>Some of these entail giving online access to people they're not used to dealing with  - those who're not students or staff </li></ul><ul><li>This may put strains on their policies, systems and legal agreements covering Access and Identity Management </li></ul>
  3. 3. Precursors <ul><li>The JISC Identity Management Toolkit </li></ul><ul><li>Cardiff Roles and Entitlements analysis (“101 relationships”) </li></ul><ul><li>JISC BCE AM scoping study (Oakleigh Consulting, April 2009) </li></ul>
  4. 4. Objective <ul><li>The EAM2BCE Guide will help senior university and college managers to identify, understand and resolve these problems, and prevent them getting in the way of what their organisations want to do </li></ul><ul><li>(“like a Haynes workshop manual”) </li></ul>
  5. 5. How <ul><li>Extended case-study of widening participation scheme at LSE </li></ul><ul><li>Extended case-study of workplace learning at Kidderminster </li></ul><ul><li>Questionnaire responses from AM and BCE practitioners </li></ul>
  6. 6. What we found – Activities <ul><li>Short courses – including widening participation schemes such as LSE Choice </li></ul><ul><li>Work-based learning – including the case study with employers at Kidderminster </li></ul><ul><li>Facilities for Alumni </li></ul><ul><li>NHS collaboration </li></ul><ul><li>'VIP' visitors – including 'emeritus' staff </li></ul><ul><li>Commercial research collaboration </li></ul>
  7. 7. What we found – Issues <ul><li>Policies, procedures, processes & systems have often not been designed for these relationships </li></ul><ul><ul><li>Registration, Revocation, PDP </li></ul></ul><ul><li>Licenses for content & resources, signed by libraries, do not 'know' about some BCE activities in institutions </li></ul><ul><ul><li>Real costs, Licence infringements </li></ul></ul>
  8. 8. What we found – Workarounds <ul><li>'Pseudo-students‘ </li></ul><ul><li>'Honorary staff posts' </li></ul><ul><li>Ad-hoc IdM 'systems‘ </li></ul><ul><ul><li>(possible DPA infringements) </li></ul></ul><ul><li>Shared login credentials </li></ul><ul><ul><li>(e.g. to campus wi-fi) </li></ul></ul><ul><li>Limited access </li></ul><ul><ul><li>(e.g. by campus IP range) </li></ul></ul>
  9. 9. The Workshop Manual (1) <ul><li>Discovering, classifying & documenting BCE activities </li></ul><ul><ul><li>Using the IdM Toolkit Audit Guide </li></ul></ul><ul><ul><li>Anonymous? 'CRM'? AIM? </li></ul></ul><ul><li>Identifying synergies & savings from BCE activities with common characteristics </li></ul><ul><li>Reviewing mainstream IdM systems to include BCE participants </li></ul>
  10. 10. The Workshop Manual (2) <ul><li>Establishing (or not) the business case and true costs of a BCE activity </li></ul><ul><li>Reviewing resource licenses to include BCE participants </li></ul><ul><ul><li>At reasonable cost </li></ul></ul><ul><li>Cataloguing access terms & limits of all licenses </li></ul>
  11. 11. The Workshop Manual (3) <ul><li>Use of personal data </li></ul><ul><ul><li>ICO </li></ul></ul><ul><ul><li>JISC Legal </li></ul></ul><ul><ul><li>UK federation </li></ul></ul><ul><li>JANET AUP </li></ul><ul><li>FAM attributes for BCE participants </li></ul><ul><ul><li>Extended ScopedAffiliations (ePA) </li></ul></ul><ul><ul><li>Entitlements (ePE) </li></ul></ul>
  12. 12. Do You have BCE issues? <ul><li>What is the situation or activity that involves this group with your organisation? </li></ul><ul><li>Is there an organisational business case for this activity ? (can it be quantified by income, turnover or other non-financial benefits?) </li></ul>
  13. 13. Do You have BCE issues? <ul><li>Who is responsible for registering individuals as members of this group? </li></ul><ul><li>How are people registered/enrolled in this group? </li></ul><ul><li>Is any kind of IT system used to list current participants ? </li></ul><ul><li>How long is an individual typically involved in this activity? </li></ul><ul><li>How are people removed from the group (or access revoked) when they stop participating? </li></ul><ul><li>How many individuals are typically involved in this activity at any time? (or during a year) </li></ul>
  14. 14. Do You have BCE issues? <ul><li>Do participants have (or need) use of your organisation’s IT network ? How is this provided? </li></ul><ul><li>Do participants have (or need) access to the Internet via your network? How is this provided? (e.g. via normal JANET connection) </li></ul>
  15. 15. Do You have BCE issues? <ul><li>What non-public online resources does the group need to access? (even if this access is not possible at present) </li></ul><ul><li>How do resource licences cover use by the group? (or how should they be extended to allow it) </li></ul><ul><li>What ad-hoc methods are used now to provide resource access? (e.g. shared username/password, temporary registration as students, access only from specified workstations) </li></ul>
  16. 16. UK Access Management Federation for Education and Research Rules of Membership <ul><li>6.1. Where End User Organisations have the technical and organisational means to match use of services provided by Service Providers to individual End Users, then the End User Organisation may either upon enrolment or at any time thereafter, declare this to the Federation Operator which will then publish this declaration in the Metadata. Once the End User Organisation has made this declaration, it must comply with the provisions of this Section 6 in respect of those Systems and End Users covered by the declaration. The End User Organisation acknowledges that where it is unable or unwilling to make this declaration this may affect access for End Users to Service Providers’ services or resources. [note 3] </li></ul><ul><li>6.2. The End User Organisation must have a documented process for issuing credentials that may give access to Service Providers’ services or resources. This documentation must be made available on request to Service Providers to whom the End User Organisation is, or is planning to, provide access management information. </li></ul><ul><li>6.3. The End User Organisation must use reasonable endeavours to provide those End Users in respect of whom the End User Organisation provides Attributes with appropriate information on how to use their credentials safely and securely. </li></ul><ul><li>6.4. The End User Organisation must ensure that accurate information is provided about such End Users. In particular: </li></ul><ul><ul><li>6.4.1. credentials of End Users who are no longer members of the organisation must be revoked promptly, or at least no Attributes must be asserted for such End Users to the Federation; </li></ul></ul><ul><ul><li>6.4.2. where unique persistent Attributes (e.g. eduPersonTargetedID or eduPersonPrincipalName) are associated with an End User, the End User Organisation must ensure that these Attribute values are not re-issued to another End User for at least 24 months after the last possible use by the previous End User; </li></ul></ul><ul><ul><li>6.4.3. where an End User’s status, or any other information described by Attributes, changes, the relevant Attributes must be also changed as soon as possible. </li></ul></ul><ul><li>[http://www.ukfederation.org.uk/library/uploads/Documents/rules-of-membership.pdf] </li></ul>must have a documented process for issuing credentials that may give access to … services or resources must ensure that accurate information is provided about [all] such End Users. In particular… credentials of [all] End Users who are no longer members of the organisation must be revoked promptly must use reasonable endeavours to provide [all] those End Users … with appropriate information on how to use their credentials safely and securely.
  17. 17. Questions begged <ul><li>What agreements are needed (between 2+ IdPs involved in a shared BCE activity) for true federated trust? </li></ul><ul><li>Has anyone done this properly yet? </li></ul>
  18. 18. What would be nice <ul><li>(but we haven’t seen it happening yet) </li></ul><ul><li>The ‘host’ organisation for a BCE activity accepting IdM by org(s) from which participants come </li></ul>
  19. 19. Extending Access Management to Business & Community Engagement John Paschoud, Local Knowledge <John@Paschoud.org> working with www.Identity-Project.org

×