280 likes | 446 Views
Identity Management at USC: Collaboration, Governance, Access. Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity Services Architect and Manager of Enterprise Middleware Development. University of Southern California.
E N D
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity Services Architect and Manager of Enterprise Middleware Development
University of Southern California • Private research university, founded 1880 • 33,500 students (16,500 undergraduate, 17,000 graduate and professional) • 3,200 full-time faculty, 8,200 staff • $1.9 billion annual budget, $432 million sponsored research • Two major LA campuses; six additional US locations; four international offices EDUCAUSE LIVE!
Today’s Presentation • Overview of USC identity management program: evolution, scope and structure • Highlight three distinctive characteristics • Broad participation and collaboration among business and technical communities • Data and policy governance as core activity • Attribute access process • Future objectives EDUCAUSE LIVE!
Definition Identity and Access management (IAM) is a broad administrative function that identifies individuals in a system (in this case, USC), and controls and facilitates their access to resources within that system by associating user rights and restrictions with the established identity. EDUCAUSE LIVE!
Evolution • 2001 – Eliminate/Suppress Social Security Numbers • 2002 – Commit to unified identifier – USC ID number • 2003 – Build data governance structure • 2005 – Enable authentication and authorization • 2007 – Support affiliates and visitors EDUCAUSE LIVE!
“We hold the need for Identity Management to be self-evident…” • IAM at USC has been grass-roots – not driven by institutional directive • Wide-spread volunteer engagement by “business” community • Organization Improvement Services provides logistic support and operational leadership • Information Technology Services leads technical development EDUCAUSE LIVE!
What is Data Governance? Data Governance brings together cross-functional teams to make interdependent rules or to resolve issues or to provide services to data stakeholders. These cross-functional teams - Data Stewards and/or Data Governors - generally come from the Business side of operations. They set policy that IT and Data groups will follow as they establish their architectures, implement their own best practices, and address requirements. Data Governance can be considered the overall process of making this work. http://www.datagovernance.com/adg_data_governance_governance_and_stewardship.html EDUCAUSE LIVE!
IAM Data Governance Committees • Directory Services Steering Committee– policy development committee meets every 3 weeks • focuses on policy regarding data acquisition and release, integration, and communication • attendees include senior management representatives from academic schools, administrative departments, major IT units, General Counsel • GDS Executive Committee - management committee every other week • focuses on technical and staffing issues affecting direction and prioritizations • attendees include management representatives from SOR’s and GDS team • Data Team - technical committee meets monthly • focuses on operational issues affecting SOR’s and PR/GDS • attendees include representatives from SOR’s and GDS team • Working Groups EDUCAUSE LIVE!
Data Team EDUCAUSE LIVE!
GDS Executive Committee EDUCAUSE LIVE!
Directory Services Steering Committee EDUCAUSE LIVE!
Identity Operational Data Store ??? EDUCAUSE LIVE!
Person Registry Policies • Data Definitions (format of dates, names, identifiers, phone numbers, etc) • Data Transport policies • De-duping: Handling matches, partial matches • Resource requirements for Systems of Record (SOR) • Data Access policies - No access except for IAM purposes by approved SOR’s EDUCAUSE LIVE!
Attribute Access Request Process • Required for all data requests to GDS content • Directory Steering Committee reviews all new AAR submissions • Data Stewards must also approve requests • Requests must be reauthorized every 2 years • Changes in data requirements require submission of a new AAR EDUCAUSE LIVE!
AAR Workflow • Application sponsor or manager contacts Director of Organization Improvement to request AAR meeting • Director of Organization Improvement schedules meeting with: Application sponsor, ITS IdM Team • Meeting produces AAR document EDUCAUSE LIVE!
AAR Workflow (cont.) • AAR routed to Data Stewards and DSC for approval • Approved AAR posted to GDS Wiki page • ITS IdM Team works with requestor to implement request EDUCAUSE LIVE!
Typical AAR Questions • What information is needed? • For what purpose? • For what population? • For what service? • Is data for confidential students or employees required? • Are there user exceptions? EDUCAUSE LIVE!
Common Attributes Released • A persistent identifier • A name • An entitlement • An email address EDUCAUSE LIVE!
Additional Attributes • Group membership • Course enrollment and/or association • Affiliation • Employment information (Department, Title, Work Status, etc.) • Academic information (major, minor, school, level, year, etc.) • Contact information (addresses, phone numbers, email addresses, etc.) EDUCAUSE LIVE!
Typical DSC Policies • All data must be transmitted securely • Servers must be properly secured • No unnecessary release of attributes • No chaining of data release EDUCAUSE LIVE!
Number of AAR’s Processed by the DSC EDUCAUSE LIVE!
Departments Submitting AAR’s • USCard Services • Cinematic Arts • School of Theatre • Trojan Transportation Services • Family Medicine • Career and Protective Services • Career Planning and Placement Center • University Libraries • Information Technology Services • Office of the Provost • Office of the Registrar • Student Affairs • Cancer Center • Viterbi School of Engineering • Marshall School of Business • USC College EDUCAUSE LIVE!
Notable Successes • Online Schedule of Classes • iVIP Guest/Affiliate System • Orientation Reservations • Dspace Digital Repository • Online Whitepages • University Portal • Blackboard • Online Class Roster • iTunes U • Confluence Wiki • MovableType Blog • Google Apps • Student Scheduling Portal EDUCAUSE LIVE!
Next Steps for IAM at USC • Build on foundation of trust • Formalize executive endorsement and institutional expectations • Participation of all systems and databases with people information (except patients and clinical trials participants) • General use of central resource for authentication, authorization and personalization EDUCAUSE LIVE!
Next Steps for IAM at USC • Expand Identity Data • Enhance iVIP, add Alumni/Donor/Parent system • Add smaller SOR’s – Emeriti, USCard • Establish and fund administrative home “Office of Identity Management” • Establish Identity Management (Directory Services) Steering Committee as presidential committee • Reduce use of data feeds • Pursue external federated relationships EDUCAUSE LIVE!
Additional Resources • USC GDS website: http://www.usc.edu/gds • Additional Presentations: http://its.usc.edu/~bbellina EDUCAUSE LIVE!