The document outlines the identity management goals and strategies of St. Vincent Health, primarily focused on regulatory compliance, cost reduction, and improving service quality through automation of identity processes. It details the organization's roadmap for implementing identity management solutions, including challenges faced, user management workflows, and lessons learned during the implementation process. The document emphasizes the importance of cooperation with human resources and the necessity for a thorough understanding of business processes to achieve successful identity management.

1. Novell Identity Manager
®
It’s Not Just about Identity Management Anymore!
Steve Whicker Sarah Hetrick
Manager – Security Compliance Sr Technical Engineer
AHIS – Central Region AHIS – Central Region
St Vincent Health St Vincent Health
sawhicke@stvincent.org sehetric@stvincent.org

2. Identity Management Goals
at St. Vincent Health
• Enable regulatory compliance (HIPAA) and internal controls
in IS security processes
• Reduce operating costs through user account provisioning
(process automation) and sharing common infrastructure
components
• Decrease corporate exposure by reducing the risk of
unauthorized access to data & automating enforcement of
security policy
• Improve associate satisfaction by automating online HR
benefits management
• Improve data integrity by decreasing duplicative identity data
stores and manual data entry processes
• Improve the quality of services provided by IS
2 © Novell, Inc. All rights reserved.

3. St. Vincent Health’s Identity
Management Drivers
Regulatory
Security Efficiency / Cost
Compliance
• HIPAA • Automate Manual • Reduce Manual
• Unique user Security Policies Admin via automated
identification • Automate Identity account provisioning
requirements Management (Create, • Manage online HR
• Access Control Modify, Delete) Benefits
Requirements • Automate Roles • Set up Foundation for
• Auditing Based Access Expanded Services
Requirements Control • Improve Data
• Minimum Necessary
• Automate Workflow Accuracy
Requirements Approval, Denial • Leverage Current
• Enterprise Role- Investments
based Access Control • Provide Password
(RBAC) model Reset Self Service
• Auditing / Reporting
3 © Novell, Inc. All rights reserved.

4. Where We Started (July 2005)
• Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo)
• Two separate and overlapping access request processes for identity
and access management (ID Request & IS Request), made it difficult
to centrally manage the access request and change logs
• Identity creation and management was a manual process
• No centralized process to document request completion
• No formal validation process to verify the authenticity of requesting
manager
• Multiple touch points (Network Administrator and Application support
personnel) for creation of Login ID for an individual user
• De-provisioning process was not consistently followed
• No user entitlement matrix existed
4 © Novell, Inc. All rights reserved.

5. Our Identity Management Roadmap
Infrastructure
Enable Bi-
Upgrade NT Upgrade Existing Consolidate File
Readiness
Directory
Directional
Domains to AD Drivers to IdM2 Services Trees
Creates
Implement
Universal Password
Document Identity Implement
Implementation
Design Enhanced
Management
Provisioning
PeopleSoft
Design and
Identity Management
Enhanced
Requirements Connector Implement Web
Implement
Based
Password Self
Document Web based Provisioning
Process Design Web based Service Enhance Existing
Provisioning Workflow
Analysis and Provisioning Workflow Connectors and
Design Workflow
Implement
Requirements
Provisioning Design
and Implementation
Role Based
Role Definition and Mapping
Document Role based Design Role Implement Role
Provision users to
provisioning based based access and
additional systems
requirements provisioning provisioning
Design
Identify Audit Audit Logging ( enable real time logging with appropriate systems)
Auditing and
Auditing and
Needs
Reporting
Reporting
Implement Audit
Skill
Skills Development and Training
Assessment
Business and
Ongoing
Support
Ongoing Maintenance and Support
Governance, Organizational Change Management and Communication
5 © Novell, Inc. All rights reserved.

6. Identity and Request
Management Portal
Windows
Biztalk Data
Warehouse
Windows
Vistar
STVLDAP
Windows
IND1
IDV
Identity Management Portal
Windows
National AD / Exchange STVI STVNET
Windows
6 © Novell, Inc. All rights reserved.

7. Hiring Process
Start 1 20. User and Manager
receives notification that
Non-System
application has been granted
Processes
1. HR/manager is notified
of new hire (associate/
non-associate)
PeopleSoft
2. HR/manager enters 7. PeopleSoft is
HRMS
hire data into PS updated with Login
(associate / non- ID & email address
associate)
No 19. Workflow
Workflow Processes
3. All required attributed 5a. Identity Manager 6. Identity Manager 5b. Go to generates email
Yes
eDirectory (IDV)
Are available and 4. Is this a determine unique creates and places Modify Users notifications
PeopleSoft effective new Identity? Login ID the Identity Process Box
Yes
™
date has transpired #4
13. Identity Manager Manager 12. Go to 18. Application
15b. Application 14. WF 11. Identity Manager
generates workflow & requests Modify Users support approves
support checks queue approved by emails manager of WF
email notify for default additional Process Box
approver? new hire
applications per rules Apps via WF #10b
Yes for non
connected
SVHLDAP)
eDirectory
8b. Identity Manager 8a. Identity Manager
(STVI &
system
creates Identity in creates Identity in
SVHLDAP STVI
Directory Directory
(STVNET) (IND1)
9. Identity Manager
Active
Yes for connected system creates Identity IND1
Active
10. Identity Manager
creates Identity STVNET
Other Applications
17. Application support
16. Application support
creates Identity and
determines access rights
access rights
15a. Create new
Process perfomed for each application requested user account automatically
7 © Novell, Inc. All rights reserved.

8. Termination Process
Start 1 Start 2 Start 3
15. Manager
Non-System
Processes
1. Manager is notified of a 1b. HR Service Center is 5. Server team is email notified that the receives notification
termination event for notified of termination 1c. Termination is initiated user never showed up for work, research is
associate or non event for associate or non through VISTAR feed done, accounts may be deleted manually,
associate associate instead of just disable automatically
PeopleSoft
HRMS
2. Data is entered into
PeopleSoft HRMS
14. Workflow generates
Workflow Processes
3. IDM Updates User data in
eDirectory (IDV)
4a. Is this an a email notifications
IDV. disables account & moves
no show hire?
user to the inactive container
™
4b. Routes termination
Yes 11. All application support admin(s) 13.
are notified via email of a termination Application Support
WF request to all app
workflow task to be completed after Approves WF
security admin(s)
they disable or delete the account
SVHLDAP)
eDirectory
(STVI &
6. IDM Updates User data in 7. IDM disables Groupwise
10. IDM deletes user
STVI. disables account & moves user and sets visibility
account in SVHLDAP
user to the inactive container to note
Directory Directory
8. IDM Updates User data in
(STVNET) (IND1)
Active
IND1. disables account & moves
user to the inactive container
Active
9. IDM deletes user
account in STVNET
Other Applications
13. Application support admins
disable/delete user manually
in other application(s)
8 © Novell, Inc. All rights reserved.

9. Other Processes Handled
• Renames (Name Changes)
• Business Unit Changes
• User Data Changes
9 © Novell, Inc. All rights reserved.

10. Automated Escalation Process Insures
Customer Request Are Not Lost
Initiated by Manager to
Grant application for End User
Application Escalate to 2nd Escalation to
Owner Owner's Mgr Owner's Mgr
Start
1d
2d Denied
Could take 3d Time
Out
up to 6 days 4d Denied
5d Time
Out
6d Denied
Approved *
Ti m e
Out
Approved * Approved *
* indicates Log for all
IDM denied activities
completion
Entitlement
of work
is granted
Finished
10 © Novell, Inc. All rights reserved.

11. Service Request Management
• Replaced existing Information Services Request
(ISR) System
• Provides three different workflow processes
– Catalog Equipment Order
– Equipment Moves & Removals
– Professional Services (Including Projects)
• Utilized management hierarchy to route approvals
• Ties Identity and Request Management (IDRM) to
the ticketing system
– Currently a manual connection
– Future connection will be automated using SOAP
11 © Novell, Inc. All rights reserved.

12. Professional Services Workflow
PSP Request Initiated
Manager Approval
IS Tuesday / Thursday
Group Reviews Request
Start Project
Project?
Workflow Process
Request discussed with
Requires Assign team for Manager OK Request
Requested Approving
Assessment? evaluation with Cost? Terminated
Manager
Assign to
Appropriate team
E-mail to Services Desk Ticket number is E-mail to requester
with request information entered into IDRM with status and
Finish
for ticket creation Request and closed Ticket Number
12 © Novell, Inc. All rights reserved.

13. Self-Service Password Reset
• Provides user the ability to reset their own
password anytime any place
– At work
– At home on portals
• Reduces Helpdesk calls
• Provides for positive validation of user identity
through “Challenge and Response” Questions
• Easily integrates with current systems
13 © Novell, Inc. All rights reserved.

14. Lessons Learned
• Know and thoroughly document your environment
• Assume nothing
(verify things actually work as advertised)
• Understand the organizations business processes
– Talk to the users and understand yours and their
business processes
• Cooperation and involvement of Human
Resources is vital
• Have a viable test environment
• Be prepared for problems
14 © Novell, Inc. All rights reserved.

15. What’s Next?
• Install the Roles and Provisioning Module
– Upgraded version of the User Application
• Role Based Provisioning Design and Implementation
15 © Novell, Inc. All rights reserved.

16. Demonstration

17. Questions?

19. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.