© University of Reading 2007 Go to View > Master > Slide Master to put your unit name here 20 April 2014 IT Services Identity Management.

April 10, 2023 © University of Reading 2007 www.reading.ac.uk

Go to View > Master > Slide Master to put your unit name here

IT ServicesIdentity Management

2To put your footer here go to View > Header and Footer

What is identity management?

• The management of data that relates to an individual’s identity

• Use of that data– Data is created– Data is shared– Data is used to determine an individual’s access to

resources

3To put your footer here go to View > Header and Footer

Why manage it better?

• Improved accuracy and consistency of data

• Improved efficiency of processes

• Reduced security risks

4To put your footer here go to View > Header and Footer

How do we plan to do this?

• Using Microsoft Identity Lifecycle Manager

• Phased Identity Management Project

5To put your footer here go to View > Header and Footer

How ILM works• ILM connects multiple data sources. These do not have to

be compatible with one another

• Data from these sources is combined into a single unified view within ILM’s metadirectory

• For each item of data the authoritative source is determined

• ILM imports that data from its authoritative source and using pre-defined rules updates other connected systems

• Data can change in its authoritative source at any time

• ILM checks for changes at pre-determined intervals

• Can also be triggered to perform an immediate run

6To put your footer here go to View > Header and Footer

Example

ILMMetaverse

RISIS

BB

Student noNameDeptCourseUsernameStudent no

NameCourseUsername

Student noNameDeptCourseUsername

7To put your footer here go to View > Header and Footer

First phase project goals

• Unique identifier per individual

• Propagation of identity data

• Increased automation of user account provisioning and de-provisioning

• More timely, accurate provision and removal of access

• Role based access control

• Content free usernames

• Web accessible communications directory

8To put your footer here go to View > Header and Footer

Solution overview

SQL

PostProcessing

SQL

ILM

SQL

GroupPopulator Delayed

Action

SQL

Home Drive/File Storage

Communications Directory

ADAM

RISIS (Students)

SQL

Students XMA

Midland Trent (Staff)

SQLEmployees XMA

ADAM MAActive Directory & Exchange 2003

ADStudent Active Directory MA

Post Processing Drive Creation

User

HR

Students at Registration

Unix Mail

ADAM

Student ADAM MA

User

Communications Directory Interface

Remedy

SQL

Employee External XMA

SQL

Actions Logging

Message Delivery

Trent Users XMA

Tutors Delimited File

NIS Export

File

NIS Export

Employee/Xternal Active Directory MA

Student XMA

Employee/Xternal ADAM MA

9To put your footer here go to View > Header and Footer

Unique identifier

• Generated by ILM for each individual

• Links staff and student information

• 8 digits

10To put your footer here go to View > Header and Footer

Propagation of identity data

• Authoritative source

• Self service

• Replacement of existing batch data feeds

11To put your footer here go to View > Header and Footer

ILM provisioning

• ILM detects & imports data from RISIS, HR or Remedy• ILM either generates unique UoR id or joins to existing metaverse object• ILM generates username and email address • ILM provisions record into AD• Attributes passed to Exchange which provisions the mailbox and GAL

entry (staff) • ILM passes mail address and other attributes to the UNIX mail ADAM

from where mailboxes are created (student and external)• A home drive is created with filestore quota set according to user status• ILM provisions record into Remedy (staff & student)• ILM provisions record into the communications directory ADAM (staff)• If a member of academic staff ILM provisions record into the tutor table

in RISIS• Username and email address exported back to originating system

12To put your footer here go to View > Header and Footer

ILM deprovisioning• ILM has a delayed action provisioned for leave-date + 1• When leave-date + 1 is reached

– ILM disables AD account– User’s home drive permissions updated by removing windows permissions

and writing Windows Administrator permissions.– Remedy updated and “in grace period” begins– User removed from communications directory– If academic employee then RISIS tutor record set to not in use– Second delayed action provisioned for leave-date + grace period

• When leave-date + grace period is reached– AD account deleted– Remedy status set to “deleted”– User removed from UNIX mail ADAM – Home directory removed– Username and email removed from originating system– Third delayed action provisioned for leave-date + 1 year + 1 week

• When leave-date + 1 year + 1 week is reached– Remedy record is deleted

13To put your footer here go to View > Header and Footer

More timely provision / removal of access

• Enabling and disabling of accounts happens on an individual basis rather than as a batch process

• Staff accounts created earlier

• Automation forces the University to define rules

• Rules are then applied more accurately and consistently

• Auditors are happier

14To put your footer here go to View > Header and Footer

Role Based Access Control

• A copy of attributes relating to role, such as dept, status, year of entry etc, can easily be maintained by ILM in a connected ADAM.

• Client systems connecting to this ADAM can use this role data to determine an individual’s access rights in their own system.

15To put your footer here go to View > Header and Footer

Content free usernames• Inconvenient to change username when dept or status

changes. These changes are becoming increasingly common. An individual’s username will no longer change.

• Information contained in the current username structure will be made available through an ADAM.

• New usernames will consist of 6 randomly generated chars, aannnn.

• Existing usernames will remain unchanged but should be regarded as content free.

• A new employee will only be given 1 staff username. A new student will only be given1 student username. Where an individual is both an employee and a student they will be given 1 for each role.

• A web based equivalent of the PERSON command will be created before ILM is implemented.

16To put your footer here go to View > Header and Footer

Communications directory

• A web accessible communications directory will be created

• This will always be as up to date as the HR system

• Employee self service will enable staff to maintain name and telephone number data themselves

17To put your footer here go to View > Header and Footer

Timescales

• Most of the development work has been done

• Next step is data cleansing and testing

• Plan to go live in April 08

18To put your footer here go to View > Header and Footer

Future Developments

• Use of ILM to gradually replace batch data feeds between systems

• Development of more refined role based access control

• Consider having 1 username per individual

• Consider more frequent data synchronisations if demand for it