identity management at usc: collaboration, governance, access
DESCRIPTION
Identity Management at USC: Collaboration, Governance, Access. Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity Services Architect and Manager of Enterprise Middleware Development. University of Southern California. - PowerPoint PPT PresentationTRANSCRIPT
Identity Management at USC: Collaboration, Governance,
AccessMargaret Harrington
Director, Organization Improvement Services
Brendan BellinaIdentity Services Architect and
Manager of Enterprise Middleware Development
8/8/2008 EDUCAUSE LIVE! 2
University of Southern California
• Private research university, founded 1880
• 33,500 students (16,500 undergraduate, 17,000 graduate and professional)
• 3,200 full-time faculty, 8,200 staff• $1.9 billion annual budget, $432 million
sponsored research• Two major LA campuses; six additional
US locations; four international offices
8/8/2008 EDUCAUSE LIVE! 3
Today’s Presentation• Overview of USC identity management
program: evolution, scope and structure• Highlight three distinctive characteristics
– Broad participation and collaboration among business and technical communities
– Data and policy governance as core activity
– Attribute access process
• Future objectives
8/8/2008 EDUCAUSE LIVE! 4
Definition
Identity and Access management (IAM) is a broad administrative function that identifies individuals in a system (in this case, USC), and controls and facilitates their access to resources within that system by associating user rights and restrictions with the established identity.
8/8/2008 EDUCAUSE LIVE! 5
Evolution
• 2001 – Eliminate/Suppress Social Security Numbers
• 2002 – Commit to unified identifier – USC ID number
• 2003 – Build data governance structure
• 2005 – Enable authentication and authorization
• 2007 – Support affiliates and visitors
8/8/2008 EDUCAUSE LIVE! 6
“We hold the need for Identity Management to be self-evident…”
• IAM at USC has been grass-roots – not driven by institutional directive
• Wide-spread volunteer engagement by “business” community
• Organization Improvement Services provides logistic support and operational leadership
• Information Technology Services leads technical development
8/8/2008 EDUCAUSE LIVE! 7
What is Data Governance? Data Governance brings together cross-
functional teams to make interdependent rules or to resolve issues or to provide services to data stakeholders. These cross-functional teams - Data Stewards and/or Data Governors - generally come from the Business side of operations. They set policy that IT and Data groups will follow as they establish their architectures, implement their own best practices, and address requirements. Data Governance can be considered the overall process of making this work.
http://www.datagovernance.com/adg_data_governance_governance_and_stewardship.html
8/8/2008 EDUCAUSE LIVE! 8
IAM Data Governance Committees• Directory Services Steering Committee – policy development
committee meets every 3 weeks• focuses on policy regarding data acquisition and release,
integration, and communication• attendees include senior management representatives from
academic schools, administrative departments, major IT units, General Counsel
• GDS Executive Committee - management committee every other week• focuses on technical and staffing issues affecting direction and
prioritizations• attendees include management representatives from SOR’s and
GDS team
• Data Team - technical committee meets monthly• focuses on operational issues affecting SOR’s and PR/GDS• attendees include representatives from SOR’s and GDS team
• Working Groups
8/8/2008 EDUCAUSE LIVE! 9
8/8/2008 EDUCAUSE LIVE! 10
Data Team
8/8/2008 EDUCAUSE LIVE! 11
GDS Executive Committee
8/8/2008 EDUCAUSE LIVE! 12
Directory Services Steering Committee
8/8/2008 EDUCAUSE LIVE! 13
Identity Operational
Data Store ???
8/8/2008 EDUCAUSE LIVE! 14
Person Registry Policies
• Data Definitions (format of dates, names, identifiers, phone numbers, etc)
• Data Transport policies• De-duping: Handling matches, partial
matches• Resource requirements for Systems of
Record (SOR)• Data Access policies - No access except for
IAM purposes by approved SOR’s
8/8/2008 EDUCAUSE LIVE! 15
Attribute Access Request Process
• Required for all data requests to GDS content• Directory Steering Committee reviews all new
AAR submissions• Data Stewards must also approve requests• Requests must be reauthorized every 2 years• Changes in data requirements require
submission of a new AAR
8/8/2008 EDUCAUSE LIVE! 16
AAR Workflow
• Application sponsor or manager contacts Director of Organization Improvement to request AAR meeting
• Director of Organization Improvement schedules meeting with: Application sponsor, ITS IdM Team
• Meeting produces AAR document
8/8/2008 EDUCAUSE LIVE! 17
AAR Workflow (cont.)
• AAR routed to Data Stewards and DSC for approval
• Approved AAR posted to GDS Wiki page
• ITS IdM Team works with requestor to implement request
8/8/2008 EDUCAUSE LIVE! 18
Typical AAR Questions
• What information is needed?
• For what purpose?
• For what population?
• For what service?
• Is data for confidential students or employees required?
• Are there user exceptions?
8/8/2008 EDUCAUSE LIVE! 19
Common Attributes Released
• A persistent identifier
• A name
• An entitlement
• An email address
8/8/2008 EDUCAUSE LIVE! 20
Additional Attributes
• Group membership• Course enrollment and/or association• Affiliation• Employment information (Department, Title,
Work Status, etc.)• Academic information (major, minor, school,
level, year, etc.)• Contact information (addresses, phone
numbers, email addresses, etc.)
8/8/2008 EDUCAUSE LIVE! 21
Typical DSC Policies
• All data must be transmitted securely
• Servers must be properly secured
• No unnecessary release of attributes
• No chaining of data release
8/8/2008 EDUCAUSE LIVE! 22
Number of AAR’s Processed by the DSC
8/8/2008 EDUCAUSE LIVE! 23
Departments Submitting AAR’s• Information Technology
Services• Office of the Provost• Office of the Registrar• Student Affairs• Cancer Center• Viterbi School of
Engineering• Marshall School of
Business• USC College
• USCard Services• Cinematic Arts• School of Theatre• Trojan Transportation
Services• Family Medicine• Career and Protective
Services
• Career Planning and Placement Center
• University Libraries
8/8/2008 EDUCAUSE LIVE! 24
Notable Successes• University Portal• Blackboard• Online Class Roster• iTunes U• Confluence Wiki• MovableType Blog• Google Apps• Student Scheduling
Portal
• Online Schedule of Classes
• iVIP Guest/Affiliate System
• Orientation Reservations
• Dspace Digital Repository
• Online Whitepages
8/8/2008 EDUCAUSE LIVE! 25
Next Steps for IAM at USC
• Build on foundation of trust• Formalize executive endorsement and
institutional expectations – Participation of all systems and databases with
people information (except patients and clinical trials participants)
– General use of central resource for authentication, authorization and personalization
8/8/2008 EDUCAUSE LIVE! 26
Next Steps for IAM at USC• Expand Identity Data
– Enhance iVIP, add Alumni/Donor/Parent system
– Add smaller SOR’s – Emeriti, USCard• Establish and fund administrative home
“Office of Identity Management”• Establish Identity Management
(Directory Services) Steering Committee as presidential committee
• Reduce use of data feeds• Pursue external federated relationships
8/8/2008 EDUCAUSE LIVE! 27
Additional Resources
- USC GDS website: http://www.usc.edu/gds
- Additional Presentations: http://its.usc.edu/~bbellina