electronic administration and services integrating identitiesdigital+assets/herug/heru… ·...

Electronic Administration and Services

Integrating Identitiesidentity management in a confederacy of independent systems

Dr. Christoph Wall

Personal Identity Atributes

Age: Between 21 and 65

Kids: 2

2Identity Management at FU Berlin, June 2009

Kids: 2

Nationality: GermanCity of Residence: Berlin

Institutional Background

3Identity Management at FU Berlin, June 2009

Professional Allocation

4Identity Management at FU Berlin, June 2009

The confederacy of independent systems

HR

SLcM

HIS

MyVV

Black-

board

FU

Portal

Intranet

Aleph

SOC

MyFU

5Identity Management at FU Berlin, June 2009

HR

FI

SAP Web

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

Issues of the confederacy

HR

SLcM

HIS

MyVV

Black-

board

FU

Portal

Intranet

Aleph

SOC

MyFU- Distributed user administration

- Multiple identities(Many users per person)

6Identity Management at FU Berlin, June 2009

HR

FI

SAP Web

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

(Many users per person)

- Several passwords

- Different password policies

- Distributed authorization

Resulting Problems

HR

SLcM

HIS

MyVV

Black-

board

FU

Portal

Intranet

Aleph

SOC

MyFUUnnecessarily large workload

- User administration needed

for each application

7Identity Management at FU Berlin, June 2009

HR

FI

SAP Web

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

for each application

- 40 – 60% of helpdesk work is

user account related

Resulting Problems

HR

SLcM

HIS

MyVV

Black-

board

FU

Portal

Intranet

Aleph

SOC

MyFU

Data security risks

- No central rights accounting

8Identity Management at FU Berlin, June 2009

HR

FI

SAP Web

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

- critical combination of rights

goes undetected

Resulting Problems

HR

SLcM

HIS

MyVV

Black-

board

FU

Portal

Intranet

Aleph

SOC

MyFUIT safety risks

- No central user tracking for

create/modify/delete

9Identity Management at FU Berlin, June 2009

HR

FI

SAP Web

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

create/modify/delete

- ex employees might still

have access to systems

(21% of malicious intrusions

committed by ex-employees)

The solution: Integrating identities with FUDIS

FUDIS HR

SLcM

HIS

MyVV

FU

Portal

SOC

Aleph

Intranet

Black-

board

MyFU

10Identity Management at FU Berlin, June 2009

FUDIS

SAP Web

FI

HR

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

The solution: Integrating identities with FUDIS

FUDIS HR

SLcM

HIS

MyVV

FU

Portal

SOC

Aleph

Intranet

Black-

board

MyFU

11Identity Management at FU Berlin, June 2009

FUDIS

SAP Web

FI

HR

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

User Lifecycle Management

12Identity Management at FU Berlin, June 2009

modify

Create (Onboarding)

CUA SLcMHIS

HR

FUDIS(FU Account)

Employees

User

Ext. TeachersUser

personnel data

SOC

Depart

ments

13Identity Management at FU Berlin, June 2009

CUA SLcMHIS(FU Account)

Students

Business PartnerStudent User

FI

User

SAP Web

User

Intranet

Employees

Students

Create (Authorization)

CUA SLcM

HR

FUDIS(FU Account)

Employees

User

Ext. TeachersUser

personnel data

SOC

Role

14Identity Management at FU Berlin, June 2009

CUA SLcM(FU Account)

Students

Business PartnerStudent User

FI

User

SAP Web

User

Intranet

Role

s

Role

s

Role

s

Employees

Role

AdministrationDepartments

SAP Admininstration

Status Quo

� Gains:

- Personnel data lead to automatic creation of unique FUDIS identity

- Teachers are automatically created as SLcM teaching staff users

- Students are automatically created as SLcM student users

15Identity Management at FU Berlin, June 2009

� Disadvantages:

- Employees have to be created as ERP users manually

- Departments and administration cannot administer their own users

- SAP administration is ‚bottleneck‘ to onboarding and modification

User Lifecycle Management

16Identity Management at FU Berlin, June 2009

modify

Delete / deactivate

CUA SLcM

HR

FUDIS(FU Account)

Employees

User

Ext. TeachersUser

personnel data

Depart

ments

17Identity Management at FU Berlin, June 2009

CUA SLcM(FU Account)

Students

Business PartnerStudent User

FI

User

SAP Web

User

SAP Admininstration

HIS

Students

Status Quo

� Issues

- Administrators face extra work because users have to be

deleted/deactivated manually

18Identity Management at FU Berlin, June 2009

- Severe time gap between ceasure of contract and lock out of system

results in:

Financial loss through unused licenses

Security risk through unaccounted for systems admission

User Lifecycle Management with SAP IdM

19Identity Management at FU Berlin, June 2009

modify

Create (Onboarding / Authorization)

IdM SLcMHIS

HR

FUDIS(FU Account)

Employees

User

Ext. TeachersUser

personnel data

Role

s

Role

Administration

20Identity Management at FU Berlin, June 2009

IdM SLcMHIS(FU Account)

Students

Business PartnerStudent User

FI

User

SAP Web

User

Role

s

Role

Students

Departments

User Lifecycle Management

21Identity Management at FU Berlin, June 2009

modify

Delete (deactivate)

IdM SLcM

HR

FUDIS(FU Account)

Employees

User

Ext. TeachersUser

personnel data

Exmatriculation

22Identity Management at FU Berlin, June 2009

IdM SLcM(FU Account)

Students

Business PartnerStudent User

FI

User

SAP Web

User

Exmatriculation

Project benefits

� IdM technology is to be supported by SAP in the future

(CUA is not developed any further and will run out of support)

� Interfaces come with IdM and have to be configured, not built

� Employees with ERP users are part of automatic onboarding

� Roles can be administered decentralized by departments and

23Identity Management at FU Berlin, June 2009

� Roles can be administered decentralized by departments and

administration

� Ceasure of employee‘s contract leads to automatic lock out

from SAP systems, same as exmatriculation for student users

Integrated Identity Management helps to:

FUDIS HR

SLcM

HIS

MyVV

FU

Portal

SOC

Aleph

Intranet

Black-

board

MyFU � Reduce risks

� Reduce costs

24Identity Management at FU Berlin, June 2009

FUDIS

SAP Web

FI

HR

PublikationsDB

ProfilDB

Portal

eSA

Helpline

IT-V DBVoIP

BSCW

� Reduce costs

� Reduce workload

Electronic Administration and Services

Transparency and Efficiency

for

Excellence

25Identity Management at FU Berlin, June 2009

Excellence