Presentation is loading. Please wait.

Presentation is loading. Please wait.

IAMUCLA The UCLA Enterprise Messaging User Group Meeting March 13, 2008.

Published byBethany Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "IAMUCLA The UCLA Enterprise Messaging User Group Meeting March 13, 2008."— Presentation transcript:

1 IAMUCLA Overview @ The UCLA Enterprise Messaging User Group Meeting March 13, 2008

2 What is IAMUCLA? Identity & Access Management @ UCLA Who wants to access a resource? (Authentication)‏ Does the person have permission? (Authorization)‏

3 Before IAMUCLA Departmental Intranet User logs into each application separately using different logon IDs Permissions managed separately in individual applications URSA Class Web Sites Discussions Service Requests Budgeting Research Proposal Tracking Applications kept separate user identity data … and others

4 Phase I: Identity and Authentication Campus-wide Credential UCLA Logon Enterprise Directory Consolidated Repository for Person Identity Data Supports authentication and authorization decision Web Single Sign-On ISIS Shibboleth – The future Unified Directory Data Official Email Address

5 URSA RATS MyUCLA Travel Express Financial Web Reports many other web apps IAMUCLA Architecture, Take One ISIS/Shibboleth: Web Single Sign-On Enterprise Directory User logs in using UCLA Logon ID ED supplies user identity data Permissions managed separately in individual applications

6 Credentialing Enterprise Directory logon.ucla.edu student employee URSA visitors and affiliates UID, SIS, PPS Student is prompted to create UCLA Logon during SIR Employee uses the self-provisioning tool to create logon ID once she becomes an employee Visitor also uses the same self- provisioning tool to create a low level of assurance “guest” account Account creations are verified with ED identity Data; created accounts are written to ED in real time. ED receives initial identity data for UCLA members from the mainframe (near real time)

7 Over 200 Web Apps Use ISIS URSA MyUCLA MyHousing RATS (Animal Protocols)‏ Effort Reporting System OFSR Web Merits CBIG DAT BruinCard CCLE UCLA Jobs: PeopleAdmin Counselor Desktop CLICC Laptop Checkout Construction Mgt Database Online TSR Gradebook Online Journal Entry Transfer of Funds ATS network account provisioning ASUCLA Computer Store Online MyEvents MyFAO ISSR Data Archives Data Delivery CTS Directory Update System COMIT Duplicate W2-Forms Non-Payroll Expenditure Adjustment Post Audit Notification (PAN) BruinPost Emergency Email Notification System BruinBuy Web Reports Digital Library Programs SEAS Online SEAS Email Forwarding Wireless Network Registry Equipment Management UCLA Student Calendar UCLA Grid Portal UCLA Library Catalog UCLA in LA UCLA Library Public Wiki OID TEC Transcript System UCLA Knowledge Base Express TFT Intranet Gradebook Data Warehouse Reporting (Cognos) QDB Support and Administration APO Dossier Action Tracking My.CLICC CLICC Laptop Checkouts CTS Personnel Action Request VoIP Self-Provisioning Administration Wireless Network Registry CTS ProjectTrak Confluence JIRA My.DMA ESLPE UCLA Student Calendar Life Sciences Dossier Web Site Undergraduate Scholarship Application Work-Study Job Bulletin for Employers Summer Financial Aid Portal Music Library: Digital Audio Reserves VideoFurnace: @ Instructional Media Lab OPRS Psychology IT & HelpDesk Portals Registrar’s Office Service Request Student Records Web Registrar’s Office Transcript System UCLA Restricted Network Access Administration UCLA ResNet DMCA Admin STC Software Download UCLA Sakai Social Sciences Class Scheduler PDP Portal Social Sciences Subversion Browser SSC Ticket System Student Legal Service Case Tracking Student Health Online Services Transportation Services VoIP WebDialer CourseWeb@HSSEAS RNet Web Reports AIS Password Management Tools COR Faculty Grants Program Bruin Walkers WebIRB Schoenberg Practice Room Reservation NowPrint – Web-based Printing On Demand ESCRO FileShare … and many more …

8 Phase II: Permission Management Deploy enterprise-wide, 24x7 permissions management system Provide cross-campus integration for all applications Create custom delegation tools Provide support for local integration

9 Enterprise Permission Management Benefits Simplifies and standardizes Roles can be consistently established and maintained across campus Full auditability – who has access to what & when Instantaneous ability to revoke or change at-risk access across campus Streamlines the provisioning workflow Permits more granular access & revocation Reduces sharing of logons and passwords

10 IAMUCLA Architecture URSA RATS MyUCLA Travel Express Financial Web Reports many other web apps ISIS/Shibboleth: Web Single Sign-On User logs in using UCLA Logon ID Enterprise Directory ED delivers user identity, groups, and permissions data via Shibboleth Permission Management Tools manages permissions once and replicates the same permissions data to non-web systems

11 At a Threshold New applications are emerging with new and large communities of users CCLE – Faculty & Students DAT – Faculty & Staff IWE – Students & Parents GRID – Researchers at UCLA & other campuses Clinical Research – Physicians & Students Research collaboration – Faculty & Students at UCLA and other campuses A window of opportunity for a new way to handle permissions

12 Project Impacts Strategic Underpins collaboration, group processes, interdisciplinary research and education, inter-industry and inter-institutional interactions Opens but manages the extension of campus resources to important associate members of the university Compliance Significantly improves ability to meet audit requirements Better reporting on access to FERPA and SB1386 protected data Reduced risk of major security/access breach System Lifecycle Necessity Critical mass of current projects represents opportunity to integrate now

13 Project Impacts Customer/User Impact Affects all UCLA faculty, students, staff Also affects parents, researchers and students at other campuses, etc. Workload Impact Reduced staff time handling provisioning/de-provisioning tasks Self-service delegation reduces access delays, improves user-experience Central support reduces developer overhead in projects; Improves help desks' ability to solve a user problem on "first call “ Financial/Fiscal Impact Not implementing now forces all applications to expend resources to invent their own permission management schemes separately. Retrofit will be far more costly.

14 Questions?

15 Permissions Management Examples of what happens now… Mainframe DACSS DSA departmental/financial hierarchy Value-based, explicit permissions DAT Academic delegation hierarchy Access by position in workflow Class Web Sites in Schools & College Download class rosters from SRDB Explicit permissions within the application

16 Before IAMUCLA Each application provides its own logon ID and password Each application maintains customized permission lists IDs and passwords often unencrypted, not audited Authentication & Authorization often not differentiated

17 What is Permissions Management? “ I don ’ t want to run around getting access to everything for my classes. I want what I need, where and when I need it. ” (Student)‏ “ I want to quickly grant my assistant access while I ’ m away rather than loan her my access! ” (PI)‏ “ I want to create a project group and when I invite someone to join that group, they immediately have all related access. ” … And “ When I join that group, I want immediate access to all relevant resources. ” (Collaborator)‏ “ I want to automatically give all students enrolled in CS143 access to my lab, the class web sites, and software in the lab. ” (Professor)‏ “ I want to run a review process in which students, faculty, staff and administrators review and approve different components and different points in the process. ” (Business manager) “ Before I terminate this person, I want to make sure all their current access is revoked throughout the campus. ” (Manager)‏

Download ppt "IAMUCLA The UCLA Enterprise Messaging User Group Meeting March 13, 2008."

Similar presentations

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Everything you wanted to know, but were afraid to ask……..

Everything you wanted to know, but were afraid to ask……..
Copyright Ann West 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.

Identity Management: Some Basics Mark Crase, California State University Office of the Chancellor CENIC - March 9, 2011.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Understanding Active Directory

Understanding Active Directory
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.

UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Graduate System for Management of Admissions, Alumni & Records Tracking (Grad SMAART) January 8, 2007 Office of Graduate Studies.

Graduate System for Management of Admissions, Alumni & Records Tracking (Grad SMAART) January 8, 2007 Office of Graduate Studies.
UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.

UNIVERSITY OF CALIFORNIA, RIVERSIDE COMPUTING AND COMMUNICATIONS “GETTING CONNECTED” Presented by: Computing and Communications Josee Larochelle September.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Fordham University Portal My.Fordham.edu November 2008 Shaya Phillips.

Fordham University Portal My.Fordham.edu November 2008 Shaya Phillips.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Student Information system

Student Information system
Campus Administrative Systems David Cook Information Technology Services

Campus Administrative Systems David Cook Information Technology Services
Understanding Active Directory

Understanding Active Directory
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,

Similar presentations

Ads by Google