1 / 18

IT Services

IT Services. Identity Management. What is identity management?. The management of data that relates to an individual’s identity Use of that data Data is created Data is shared Data is used to determine an individual’s access to resources. Why manage it better?.

Download Presentation

IT Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IT Services Identity Management

  2. What is identity management? • The management of data that relates to an individual’s identity • Use of that data • Data is created • Data is shared • Data is used to determine an individual’s access to resources

  3. Why manage it better? • Improved accuracy and consistency of data • Improved efficiency of processes • Reduced security risks

  4. How do we plan to do this? • Using Microsoft Identity Lifecycle Manager • Phased Identity Management Project

  5. How ILM works • ILM connects multiple data sources. These do not have to be compatible with one another • Data from these sources is combined into a single unified view within ILM’s metadirectory • For each item of data the authoritative source is determined • ILM imports that data from its authoritative source and using pre-defined rules updates other connected systems • Data can change in its authoritative source at any time • ILM checks for changes at pre-determined intervals • Can also be triggered to perform an immediate run

  6. Student no Name Dept Course Username RISIS Student no Name Dept Course Username Student no Name Course Username ILM Metaverse BB Example

  7. First phase project goals • Unique identifier per individual • Propagation of identity data • Increased automation of user account provisioning and de-provisioning • More timely, accurate provision and removal of access • Role based access control • Content free usernames • Web accessible communications directory

  8. Solution overview

  9. Unique identifier • Generated by ILM for each individual • Links staff and student information • 8 digits

  10. Propagation of identity data • Authoritative source • Self service • Replacement of existing batch data feeds

  11. ILM provisioning • ILM detects & imports data from RISIS, HR or Remedy • ILM either generates unique UoR id or joins to existing metaverse object • ILM generates username and email address • ILM provisions record into AD • Attributes passed to Exchange which provisions the mailbox and GAL entry (staff) • ILM passes mail address and other attributes to the UNIX mail ADAM from where mailboxes are created (student and external) • A home drive is created with filestore quota set according to user status • ILM provisions record into Remedy (staff & student) • ILM provisions record into the communications directory ADAM (staff) • If a member of academic staff ILM provisions record into the tutor table in RISIS • Username and email address exported back to originating system

  12. ILM deprovisioning • ILM has a delayed action provisioned for leave-date + 1 • When leave-date + 1 is reached • ILM disables AD account • User’s home drive permissions updated by removing windows permissions and writing Windows Administrator permissions. • Remedy updated and “in grace period” begins • User removed from communications directory • If academic employee then RISIS tutor record set to not in use • Second delayed action provisioned for leave-date + grace period • When leave-date + grace period is reached • AD account deleted • Remedy status set to “deleted” • User removed from UNIX mail ADAM • Home directory removed • Username and email removed from originating system • Third delayed action provisioned for leave-date + 1 year + 1 week • When leave-date + 1 year + 1 week is reached • Remedy record is deleted

  13. More timely provision / removal of access • Enabling and disabling of accounts happens on an individual basis rather than as a batch process • Staff accounts created earlier • Automation forces the University to define rules • Rules are then applied more accurately and consistently • Auditors are happier

  14. Role Based Access Control • A copy of attributes relating to role, such as dept, status, year of entry etc, can easily be maintained by ILM in a connected ADAM. • Client systems connecting to this ADAM can use this role data to determine an individual’s access rights in their own system.

  15. Content free usernames • Inconvenient to change username when dept or status changes. These changes are becoming increasingly common. An individual’s username will no longer change. • Information contained in the current username structure will be made available through an ADAM. • New usernames will consist of 6 randomly generated chars, aannnn. • Existing usernames will remain unchanged but should be regarded as content free. • A new employee will only be given 1 staff username. A new student will only be given1 student username. Where an individual is both an employee and a student they will be given 1 for each role. • A web based equivalent of the PERSON command will be created before ILM is implemented.

  16. Communications directory • A web accessible communications directory will be created • This will always be as up to date as the HR system • Employee self service will enable staff to maintain name and telephone number data themselves

  17. Timescales • Most of the development work has been done • Next step is data cleansing and testing • Plan to go live in April 08

  18. Future Developments • Use of ILM to gradually replace batch data feeds between systems • Development of more refined role based access control • Consider having 1 username per individual • Consider more frequent data synchronisations if demand for it

More Related