Presentation on theme: "Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity."— Presentation transcript:
Identity Management at USC: Collaboration, Governance, Access Margaret Harrington Director, Organization Improvement Services Brendan Bellina Identity Services Architect and Manager of Enterprise Middleware Development
8/8/2008EDUCAUSE LIVE!2 University of Southern California Private research university, founded 1880 33,500 students (16,500 undergraduate, 17,000 graduate and professional) 3,200 full-time faculty, 8,200 staff $1.9 billion annual budget, $432 million sponsored research Two major LA campuses; six additional US locations; four international offices
8/8/2008EDUCAUSE LIVE!3 Today’s Presentation Overview of USC identity management program: evolution, scope and structure Highlight three distinctive characteristics –Broad participation and collaboration among business and technical communities –Data and policy governance as core activity –Attribute access process Future objectives
8/8/2008EDUCAUSE LIVE!4 Definition Identity and Access management (IAM) is a broad administrative function that identifies individuals in a system (in this case, USC), and controls and facilitates their access to resources within that system by associating user rights and restrictions with the established identity.
8/8/2008EDUCAUSE LIVE!5 Evolution 2001 – Eliminate/Suppress Social Security Numbers 2002 – Commit to unified identifier – USC ID number 2003 – Build data governance structure 2005 – Enable authentication and authorization 2007 – Support affiliates and visitors
8/8/2008EDUCAUSE LIVE!6 “We hold the need for Identity Management to be self-evident…” IAM at USC has been grass-roots – not driven by institutional directive Wide-spread volunteer engagement by “business” community Organization Improvement Services provides logistic support and operational leadership Information Technology Services leads technical development
8/8/2008EDUCAUSE LIVE!7 What is Data Governance? Data Governance brings together cross- functional teams to make interdependent rules or to resolve issues or to provide services to data stakeholders. These cross-functional teams - Data Stewards and/or Data Governors - generally come from the Business side of operations. They set policy that IT and Data groups will follow as they establish their architectures, implement their own best practices, and address requirements. Data Governance can be considered the overall process of making this work. http://www.datagovernance.com/adg_data_governance_governance_and_stewardship.html
8/8/2008EDUCAUSE LIVE!8 IAM Data Governance Committees Directory Services Steering Committee – policy development committee meets every 3 weeks focuses on policy regarding data acquisition and release, integration, and communication attendees include senior management representatives from academic schools, administrative departments, major IT units, General Counsel GDS Executive Committee - management committee every other week focuses on technical and staffing issues affecting direction and prioritizations attendees include management representatives from SOR’s and GDS team Data Team - technical committee meets monthly focuses on operational issues affecting SOR’s and PR/GDS attendees include representatives from SOR’s and GDS team Working Groups
8/8/2008EDUCAUSE LIVE!13 Identity Operational Data Store ???
8/8/2008EDUCAUSE LIVE!14 Person Registry Policies Data Definitions (format of dates, names, identifiers, phone numbers, etc) Data Transport policies De-duping: Handling matches, partial matches Resource requirements for Systems of Record (SOR) Data Access policies - No access except for IAM purposes by approved SOR’s
8/8/2008EDUCAUSE LIVE!15 Attribute Access Request Process Required for all data requests to GDS content Directory Steering Committee reviews all new AAR submissions Data Stewards must also approve requests Requests must be reauthorized every 2 years Changes in data requirements require submission of a new AAR
8/8/2008EDUCAUSE LIVE!16 AAR Workflow Application sponsor or manager contacts Director of Organization Improvement to request AAR meeting Director of Organization Improvement schedules meeting with: Application sponsor, ITS IdM Team Meeting produces AAR document
8/8/2008EDUCAUSE LIVE!17 AAR Workflow (cont.) AAR routed to Data Stewards and DSC for approval Approved AAR posted to GDS Wiki page ITS IdM Team works with requestor to implement request
8/8/2008EDUCAUSE LIVE!18 Typical AAR Questions What information is needed? For what purpose? For what population? For what service? Is data for confidential students or employees required? Are there user exceptions?
8/8/2008EDUCAUSE LIVE!19 Common Attributes Released A persistent identifier A name An entitlement An email address
8/8/2008EDUCAUSE LIVE!20 Additional Attributes Group membership Course enrollment and/or association Affiliation Employment information (Department, Title, Work Status, etc.) Academic information (major, minor, school, level, year, etc.) Contact information (addresses, phone numbers, email addresses, etc.)
8/8/2008EDUCAUSE LIVE!21 Typical DSC Policies All data must be transmitted securely Servers must be properly secured No unnecessary release of attributes No chaining of data release
8/8/2008EDUCAUSE LIVE!22 Number of AAR’s Processed by the DSC
8/8/2008EDUCAUSE LIVE!23 Departments Submitting AAR’s Information Technology Services Office of the Provost Office of the Registrar Student Affairs Cancer Center Viterbi School of Engineering Marshall School of Business USC College USCard Services Cinematic Arts School of Theatre Trojan Transportation Services Family Medicine Career and Protective Services Career Planning and Placement Center University Libraries
8/8/2008EDUCAUSE LIVE!24 Notable Successes University Portal Blackboard Online Class Roster iTunes U Confluence Wiki MovableType Blog Google Apps Student Scheduling Portal Online Schedule of Classes iVIP Guest/Affiliate System Orientation Reservations Dspace Digital Repository Online Whitepages
8/8/2008EDUCAUSE LIVE!25 Next Steps for IAM at USC Build on foundation of trust Formalize executive endorsement and institutional expectations –Participation of all systems and databases with people information (except patients and clinical trials participants) –General use of central resource for authentication, authorization and personalization
8/8/2008EDUCAUSE LIVE!26 Next Steps for IAM at USC Expand Identity Data –Enhance iVIP, add Alumni/Donor/Parent system –Add smaller SOR’s – Emeriti, USCard Establish and fund administrative home “Office of Identity Management” Establish Identity Management (Directory Services) Steering Committee as presidential committee Reduce use of data feeds Pursue external federated relationships