June 26, 2022 © University of Reading 2007 www.reading.ac.uk Go to View > Master > Slide Master to put your unit name here IT Services Identity Management
Mar 28, 2015
April 10, 2023 © University of Reading 2007 www.reading.ac.uk
Go to View > Master > Slide Master to put your unit name here
IT ServicesIdentity Management
2To put your footer here go to View > Header and Footer
What is identity management?
• The management of data that relates to an individual’s identity
• Use of that data– Data is created– Data is shared– Data is used to determine an individual’s access to
resources
3To put your footer here go to View > Header and Footer
Why manage it better?
• Improved accuracy and consistency of data
• Improved efficiency of processes
• Reduced security risks
4To put your footer here go to View > Header and Footer
How do we plan to do this?
• Using Microsoft Identity Lifecycle Manager
• Phased Identity Management Project
5To put your footer here go to View > Header and Footer
How ILM works• ILM connects multiple data sources. These do not have to
be compatible with one another
• Data from these sources is combined into a single unified view within ILM’s metadirectory
• For each item of data the authoritative source is determined
• ILM imports that data from its authoritative source and using pre-defined rules updates other connected systems
• Data can change in its authoritative source at any time
• ILM checks for changes at pre-determined intervals
• Can also be triggered to perform an immediate run
6To put your footer here go to View > Header and Footer
Example
ILMMetaverse
RISIS
BB
Student noNameDeptCourseUsernameStudent no
NameCourseUsername
Student noNameDeptCourseUsername
7To put your footer here go to View > Header and Footer
First phase project goals
• Unique identifier per individual
• Propagation of identity data
• Increased automation of user account provisioning and de-provisioning
• More timely, accurate provision and removal of access
• Role based access control
• Content free usernames
• Web accessible communications directory
8To put your footer here go to View > Header and Footer
Solution overview
SQL
PostProcessing
SQL
ILM
SQL
GroupPopulator Delayed
Action
SQL
Home Drive/File Storage
Communications Directory
ADAM
RISIS (Students)
SQL
Students XMA
Midland Trent (Staff)
SQLEmployees XMA
ADAM MAActive Directory & Exchange 2003
ADStudent Active Directory MA
Post Processing Drive Creation
User
HR
Students at Registration
Unix Mail
ADAM
Student ADAM MA
User
Communications Directory Interface
Remedy
SQL
Employee External XMA
SQL
Actions Logging
Message Delivery
Trent Users XMA
Tutors Delimited File
NIS Export
File
NIS Export
Employee/Xternal Active Directory MA
Student XMA
Employee/Xternal ADAM MA
9To put your footer here go to View > Header and Footer
Unique identifier
• Generated by ILM for each individual
• Links staff and student information
• 8 digits
10To put your footer here go to View > Header and Footer
Propagation of identity data
• Authoritative source
• Self service
• Replacement of existing batch data feeds
11To put your footer here go to View > Header and Footer
ILM provisioning
• ILM detects & imports data from RISIS, HR or Remedy• ILM either generates unique UoR id or joins to existing metaverse object• ILM generates username and email address • ILM provisions record into AD• Attributes passed to Exchange which provisions the mailbox and GAL
entry (staff) • ILM passes mail address and other attributes to the UNIX mail ADAM
from where mailboxes are created (student and external)• A home drive is created with filestore quota set according to user status• ILM provisions record into Remedy (staff & student)• ILM provisions record into the communications directory ADAM (staff)• If a member of academic staff ILM provisions record into the tutor table
in RISIS• Username and email address exported back to originating system
12To put your footer here go to View > Header and Footer
ILM deprovisioning• ILM has a delayed action provisioned for leave-date + 1• When leave-date + 1 is reached
– ILM disables AD account– User’s home drive permissions updated by removing windows permissions
and writing Windows Administrator permissions.– Remedy updated and “in grace period” begins– User removed from communications directory– If academic employee then RISIS tutor record set to not in use– Second delayed action provisioned for leave-date + grace period
• When leave-date + grace period is reached– AD account deleted– Remedy status set to “deleted”– User removed from UNIX mail ADAM – Home directory removed– Username and email removed from originating system– Third delayed action provisioned for leave-date + 1 year + 1 week
• When leave-date + 1 year + 1 week is reached– Remedy record is deleted
13To put your footer here go to View > Header and Footer
More timely provision / removal of access
• Enabling and disabling of accounts happens on an individual basis rather than as a batch process
• Staff accounts created earlier
• Automation forces the University to define rules
• Rules are then applied more accurately and consistently
• Auditors are happier
14To put your footer here go to View > Header and Footer
Role Based Access Control
• A copy of attributes relating to role, such as dept, status, year of entry etc, can easily be maintained by ILM in a connected ADAM.
• Client systems connecting to this ADAM can use this role data to determine an individual’s access rights in their own system.
15To put your footer here go to View > Header and Footer
Content free usernames• Inconvenient to change username when dept or status
changes. These changes are becoming increasingly common. An individual’s username will no longer change.
• Information contained in the current username structure will be made available through an ADAM.
• New usernames will consist of 6 randomly generated chars, aannnn.
• Existing usernames will remain unchanged but should be regarded as content free.
• A new employee will only be given 1 staff username. A new student will only be given1 student username. Where an individual is both an employee and a student they will be given 1 for each role.
• A web based equivalent of the PERSON command will be created before ILM is implemented.
16To put your footer here go to View > Header and Footer
Communications directory
• A web accessible communications directory will be created
• This will always be as up to date as the HR system
• Employee self service will enable staff to maintain name and telephone number data themselves
17To put your footer here go to View > Header and Footer
Timescales
• Most of the development work has been done
• Next step is data cleansing and testing
• Plan to go live in April 08
18To put your footer here go to View > Header and Footer
Future Developments
• Use of ILM to gradually replace batch data feeds between systems
• Development of more refined role based access control
• Consider having 1 username per individual
• Consider more frequent data synchronisations if demand for it