Gudrun Buchholz Dr. Christoph Wall electronic Administration and Services Therefore IAM Identity and Access Management @ Freie Universität Berlin
Mar 31, 2015
Gudrun BuchholzDr. Christoph Wallelectronic Administration and Services
Therefore IAM
Identity and Access Management @
Freie Universität Berlin
2International HERUG 2014, IAM @ FU Berlin
1637
3International HERUG 2014, IAM @ FU Berlin
2014
4International HERUG 2014, IAM @ FU Berlin
More typical in administrative environments:
I have a contract, therefore I am
5International HERUG 2014, IAM @ FU Berlin
Proof of Identity
6International HERUG 2014, IAM @ FU Berlin
Now after I made sure that I am …
…I need to determine who or what I am.
7International HERUG 2014, IAM @ FU Berlin
Characteristics of Identity
8International HERUG 2014, IAM @ FU Berlin
Theoretical Groundwork
"Every thing is what it is, and not another thing." Fifteen Sermons Preached at the Rolls Chapel (1726)
Joseph Butler (1692–1752)English Bishop and Philosopher
9International HERUG 2014, IAM @ FU Berlin
More typical in administrative environments:
Characteristics of identity are determined by roles
10International HERUG 2014, IAM @ FU Berlin
Why would anybody in IT
care?
11International HERUG 2014, IAM @ FU Berlin
12International HERUG 2014, IAM @ FU Berlin
The Confederationof independent Systems @ FU Berlin
HR
FI
SLcM
SAP Web
HIS
PublikationsDB
MyVV
ProfilDB
Black-board
FUPortal
eSA
Intranet
Helpline
Aleph
IT-V DB
SBK
VoIP
oRA
BSCW
13International HERUG 2014, IAM @ FU Berlin
Independent Systems @ FUB
HR
FI
SLcM
SAP Web
HIS
PublikationsDB
MyVV
ProfilDB
Black-board
FUPortal
eSA
Intranet
Helpline
Aleph
IT-V DB
SBK
VoIP
oRA
BSCW
Lack of transparency of system access- No central documentation
of users and authorizations
Lack of IT-Security- No conclusice centrally
administered deactivation of retired staff
Lack of efficiency- User administration needed
in every individual system
14International HERUG 2014, IAM @ FU Berlin
Integration as central task of IT in HER
„For a long time increase of efficiency was attained by casting processes hitherto unsupported by IT into hard- and software based systems without much change to the process in question. Today the focus lies on cross-linking and integration. Thus integrated information management has become the central task for planning and deployment of modern information technology at Universities.“
„Informationsverarbeitung an Hochschulen“Empfehlungen der Kommission für IT-Infrastruktur für 2011 – 2015
Deutsche Forschungsgemeinschaft DFG
(my translation, chw)
15
FUDISFU Directory
Service
SAP Web
FI
HR
SLcM
HIS
PublikationsDB
MyVV
ProfilDB
FUPortal
SBK
Aleph
Intranet
Black-board
oRA
eSA
Helpline
IT-V DBVoIP
BSCW
1st step of Integration: Identity Management
International HERUG 2014, IAM @ FU Berlin
16
Onboarding & Authorization(legacy architecture)
International HERUG 2014, IAM @ FU Berlin
CUA SLcMHIS
HR
FUDIS(FU Account)
Students
Employees
Business PartnerStudent User
User
Ext. TeachersUser
Personnel Data
FI
User
SAP Web
User
Teachers
Employees
Students
Dep
artm
ents
Authoriz.
Authoriz.
Aut
horiz
Aut
horiz
Aut
horiz
SAP Admininstration
Personnel
Data
Identity Data
AuthorizationData
17
Black-board
SOS ZUL
AlephOrg. Man.
oRABIOS
CLAKS
Info-DB
oBiiLV
SLcM
HCM
PSM
CO
FI
Server and Storage
Internet ServicesFUDIS
Networks
ISISIntegriertes Steuerungs Informationssystem
CMSCAFMWikis, Blogs
Extension of SAP Footprint
SAP basiert
FUDIS / IdM
Systeme für Lehre und Forschung:
Info-DBs: - Forschungsdatenbank - Profildatenbank - Publikationsdatenbak
oBi: online Bibliothekssysteme
Aleph: Bibliotheksverwaltung
iLV: Lehr- und Raumplanung
SLcM: Prüfungsverwaltung
SOS: Studentenadministration
ZUL: Zulassungsverwaltung
Blackboard: e-learning Plattform
CMS: FU Webauftritt
Verwaltungssysteme:
CO: Controlling
HCM: Personalsystem (Abrechnung)
Org.Man.: Organisations Management (HCM plus Grafiksystem)
oRA: online Rechnungs- und Auskunftssystem
FI: Finanzbuchhaltung
PSM: Public Sector Management
BIOS: elektr. Warenkorb
CLAKS: Gefahrstoff Kataster mit Chemikalien-Bestellung
CAFM: Facility Management
Ablösung durch SAP
18International HERUG 2014, IAM @ FU Berlin
Consequences of pervasive SAP Use:We never saw users in such numbers
19International HERUG 2014, IAM @ FU Berlin
Increase of Student Users with SLcM Roll Out
0
5000
10000
15000
20000
25000
30000
35000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Studenten
Studenten
20International HERUG 2014, IAM @ FU Berlin
Increase of staff and teachers as SAP users
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
ext. Teachers
FU employees
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
FU employees 40 114 239 287 374 435 1306 1912 2391 3378 3394 3425ext. Teachers 750 750 750 800 900 1000 1150 1200Studenten 8936 13966 15848 18443 20747 23707 26568 30000
Total Users 40 114 239 287 10060 15151 17904 21155 24038 28085 31112 34625
21International HERUG 2014, IAM @ FU Berlin
Challange: External Teachers not documented in HR
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
ext. Teachers
FU employees
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
FU employees 40 114 239 287 374 435 1306 1912 2391 3378 3394 3425ext. Teachers 750 750 750 800 900 1000 1150 1200Studenten 8936 13966 15848 18443 20747 23707 26568 30000
Total Users 40 114 239 287 10060 15151 17904 21155 24038 28085 31112 34625
22
Onboarding & Authorization(legacy architecture)
International HERUG 2014, IAM @ FU Berlin
CUA SLcMHIS
HR
FUDIS(FU Account)
Students
Employees
Business PartnerStudent User
User
Ext. TeachersUser
Personnel Data
FI
User
SAP Web
User
Teachers
Employees
Students
Dep
artm
ents
SAP Admininstration
Personnel
Data
Identity Data
AuthorizationData
Authoriz.
Authoriz.
Aut
horiz
Aut
horiz
Aut
horiz
23International HERUG 2014, IAM @ FU Berlin
IT:„Something has to
be done !“
24
Implementation of new Identity and Access Management
Top 1:New Onboarding Architecture(Proof of Identity)
International HERUG 2014, IAM @ FU Berlin
25International HERUG 2014, IAM @ FU Berlin
Proof of Identity at Universities
Gudrun
26International HERUG 2014, IAM @ FU Berlin
The of External Teachers
27International HERUG 2014, IAM @ FU Berlin
The of External Teachers
Elections
Masterdata
Course Planning
Capacity Planning
28International HERUG 2014, IAM @ FU Berlin
2011 – 2013 Reimplementation of Academics Dataflow
Improvement of data quality
Avoiding of duplicates
Reduction of user accounts to the needed number
29
Distributed Master Data Management(legacy architecture)
International HERUG 2014, IAM @ FU Berlin
User
SLcM
Teacher Data
HCM
User
Personnel Data
User
Evento
Teacher Data
Ext. Teachers
FUDIS(FU Account)
Academic Employees
Faculties Central HR
30International HERUG 2014, IAM @ FU Berlin
Gudrun
31International HERUG 2014, IAM @ FU Berlin
Masterdata where?
EVENTOHCM
SLcM FUDISCRM
32International HERUG 2014, IAM @ FU Berlin
Masterdata who?
Central HR Dept
Faculties
33
Improvement of data quality
International HERUG 2014, IAM @ FU Berlin
FUDIS
FU Account
Ext. Teachers
HCM
Academic Employees
Central HR
FacultiesWebDynpro
34International HERUG 2014, IAM @ FU Berlin
35International HERUG 2014, IAM @ FU Berlin
Teaching
36International HERUG 2014, IAM @ FU Berlin
Teaching
Employed Non Academics
Employed Academics External Teachers
Associate Professors
37International HERUG 2014, IAM @ FU Berlin
Employed Academics
External Teachers
Associate Professors
38
The Introduction of the Central Person
International HERUG 2014, IAM @ FU Berlin
Central Person # 1
HCM Person # 2 HCM Person # 3HCM Person # 1
Marcus MillerExternal Teacher
Marcus MillerEmployed Academic
Marcus MillerAssociate Professor
39International HERUG 2014, IAM @ FU Berlin
Initial Master Data Migration FUDIS => HCM
FUDIS
9300 Teacher-Ids
2300 Ext. Teachers
HCM
2400 Inactive Teacher-IDs
3100 (Academic) Employees
1500 Both: Employees and Ext.Teachers
40
Avoiding of Duplicates
International HERUG 2014, IAM @ FU Berlin
FUDIS
FU Account
Ext. Teachers
HCM
Academic Employees
Central HR
Faculties
Central Person
Duplicate Check
Duplicate Check
User
SLcM
Teacher Data
User
Evento
Teacher Data
41International HERUG 2014, IAM @ FU Berlin
Active Teachers?
Employed Academics
Teaching Contract
Period of the contract
ExternalTeachers
Teaching contract for single
courses
SemesterExt. Teachers
HCM
List of coursesper semester
Academic Employees
Hire Fire Dates
Who?
Why?
When?
How?
42
Reduction of user accounts to the needed number
International HERUG 2014, IAM @ FU Berlin
Ext. Teachers: 2300
HCM
2400 Inactive Teacher-Ids
(Academic) Employees: 3100
Both: 1500
Activity Control
3700
Ext. Teachers: 800
HCM
Academic Employees: 2400
(Teaching) Employees: 500
April 2013: 6900April 2014:
43International HERUG 2014, IAM @ FU Berlin
A Matter of Perspective
I‘m going to teach soon, therefore I am
I still need to grade,therefore I am
44International HERUG 2014, IAM @ FU Berlin
Masterdata where?
EVENTOHCM
SLcM FUDISCRM
Was the decision for HCM a good one?
45International HERUG 2014, IAM @ FU Berlin
Activity Matrix
Interface to Group Before Course
After Course
After hiredin HCM
After firedin HCM
SLcM Employed (Academics) 3 month 7 month
Associate Professors 7 month
External Teachers 6 month 7 month 7 month
Academic Supervisors 12 month
Evento Employed (Academics) 3 month
External Teachers 6 month 7 month 7 month
IDM Employed (Academics) 7 month
Associate Professors 7 month
External Teachers 6 month 7 month 7 month
Academic Supervisors 12 month
HCM has to define and provide the acticity period of the teachers for other systems. It offers no standard functionality for this.
The function that computes the activity of a teacher has to be implemented in all the reporting, the web dynpros for teachers, the interfaces and the query tools.
46International HERUG 2014, IAM @ FU Berlin
Structured Information about Teachers for IDM
Past Members
for…MonthActive Members
of FU
Future Members
for… Month
7 Employed Academics -
7Employed Non
Academics teaching -
7 Associate Professors -
7 External Teachers6
- Academic Supervisors -
47
Implementation of new Identity and Access Management
Top 2:Introduction of Roles(Characteristics of Identity)
International HERUG 2014, IAM @ FU Berlin
48
Authorization before …
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
International HERUG 2014, IAM @ FU Berlin
49
Introduction of Roles
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
International HERUG 2014, IAM @ FU Berlin
50
Introduction of Roles
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization Authorization
AuthorizationAuthorization
Authorization
Group 1
Group 2
Group 3
International HERUG 2014, IAM @ FU Berlin
51
Introduction of Roles
Group 1
Group 2
Group 3
Business Role 1
Business Role 2
Business Role 3
International HERUG 2014, IAM @ FU Berlin
52
Role Approval Workflow
Authorization
User Applicant
IdM
Key User
ok
Application
International HERUG 2014, IAM @ FU Berlin
53International HERUG 2014, IAM @ FU Berlin
Did it help ?
54International HERUG 2014, IAM @ FU Berlin
Identity Management at work:
Gudrun BuchholzDr. Christoph Wallelectronic Administration and Services
Strategic Goals reached with the new IAM
Information online available about who has which rights in what system since when and awarded by whom
Comprehensive offer of information
Web based role request and provisioning Mobile Information
Trans-departmental process of onboarding with single point of entry for informationSmarte Processes
Automated process of user deactivation upon end of employee status Secure data
No more fees for licenses for inactive usersSustainable use ofressources
International HERUG 2014, IAM @ FU Berlin
56International HERUG 2014, IAM @ FU Berlin
Dr. Christoph WallDirector administrative IT-Services Boltzmannstraße 1814195 BerlinGermanyTel: +49 30 838 58000Web: www.fu-berlin.de/eas
Gudrun BuchholzTeam Lead HCM-Services Boltzmannstraße 1814195 BerlinGermanyTel: +49 30 838 54764Web: www.fu-berlin.de/eas