Gudrun Buchholz Dr. Christoph Wall electronic Administration and Services Therefore IAM Identity and Access Management @ Freie Universität Berlin.

Gudrun BuchholzDr. Christoph Wallelectronic Administration and Services

Therefore IAM

Identity and Access Management @

Freie Universität Berlin

2International HERUG 2014, IAM @ FU Berlin

1637

3International HERUG 2014, IAM @ FU Berlin

2014

4International HERUG 2014, IAM @ FU Berlin

More typical in administrative environments:

I have a contract, therefore I am

5International HERUG 2014, IAM @ FU Berlin

Proof of Identity

6International HERUG 2014, IAM @ FU Berlin

Now after I made sure that I am …

…I need to determine who or what I am.

7International HERUG 2014, IAM @ FU Berlin

Characteristics of Identity

8International HERUG 2014, IAM @ FU Berlin

Theoretical Groundwork

"Every thing is what it is, and not another thing." Fifteen Sermons Preached at the Rolls Chapel (1726)

Joseph Butler (1692–1752)English Bishop and Philosopher

9International HERUG 2014, IAM @ FU Berlin

More typical in administrative environments:

Characteristics of identity are determined by roles

10International HERUG 2014, IAM @ FU Berlin

Why would anybody in IT

care?

11International HERUG 2014, IAM @ FU Berlin

12International HERUG 2014, IAM @ FU Berlin

The Confederationof independent Systems @ FU Berlin

HR

FI

SLcM

SAP Web

HIS

PublikationsDB

MyVV

ProfilDB

Black-board

FUPortal

eSA

Intranet

Helpline

Aleph

IT-V DB

SBK

VoIP

oRA

BSCW

13International HERUG 2014, IAM @ FU Berlin

Independent Systems @ FUB

HR

FI

SLcM

SAP Web

HIS

PublikationsDB

MyVV

ProfilDB

Black-board

FUPortal

eSA

Intranet

Helpline

Aleph

IT-V DB

SBK

VoIP

oRA

BSCW

Lack of transparency of system access- No central documentation

of users and authorizations

Lack of IT-Security- No conclusice centrally

administered deactivation of retired staff

Lack of efficiency- User administration needed

in every individual system

14International HERUG 2014, IAM @ FU Berlin

Integration as central task of IT in HER

„For a long time increase of efficiency was attained by casting processes hitherto unsupported by IT into hard- and software based systems without much change to the process in question. Today the focus lies on cross-linking and integration. Thus integrated information management has become the central task for planning and deployment of modern information technology at Universities.“

„Informationsverarbeitung an Hochschulen“Empfehlungen der Kommission für IT-Infrastruktur für 2011 – 2015

Deutsche Forschungsgemeinschaft DFG

(my translation, chw)

15

FUDISFU Directory

Service

SAP Web

FI

HR

SLcM

HIS

PublikationsDB

MyVV

ProfilDB

FUPortal

SBK

Aleph

Intranet

Black-board

oRA

eSA

Helpline

IT-V DBVoIP

BSCW

1st step of Integration: Identity Management

International HERUG 2014, IAM @ FU Berlin

16

Onboarding & Authorization(legacy architecture)

International HERUG 2014, IAM @ FU Berlin

CUA SLcMHIS

HR

FUDIS(FU Account)

Students

Employees

Business PartnerStudent User

User

Ext. TeachersUser

Personnel Data

FI

User

SAP Web

User

Teachers

Employees

Students

Dep

artm

ents

Authoriz.

Authoriz.

Aut

horiz

Aut

horiz

Aut

horiz

SAP Admininstration

Personnel

Data

Identity Data

AuthorizationData

17

Black-board

SOS ZUL

AlephOrg. Man.

oRABIOS

CLAKS

Info-DB

oBiiLV

SLcM

HCM

PSM

CO

FI

Server and Storage

Internet ServicesFUDIS

Networks

Mail

ISISIntegriertes Steuerungs Informationssystem

CMSCAFMWikis, Blogs

Extension of SAP Footprint

SAP basiert

FUDIS / IdM

Systeme für Lehre und Forschung:

Info-DBs: - Forschungsdatenbank - Profildatenbank - Publikationsdatenbak

oBi: online Bibliothekssysteme

Aleph: Bibliotheksverwaltung

iLV: Lehr- und Raumplanung

SLcM: Prüfungsverwaltung

SOS: Studentenadministration

ZUL: Zulassungsverwaltung

Blackboard: e-learning Plattform

CMS: FU Webauftritt

Verwaltungssysteme:

CO: Controlling

HCM: Personalsystem (Abrechnung)

Org.Man.: Organisations Management (HCM plus Grafiksystem)

oRA: online Rechnungs- und Auskunftssystem

FI: Finanzbuchhaltung

PSM: Public Sector Management

BIOS: elektr. Warenkorb

CLAKS: Gefahrstoff Kataster mit Chemikalien-Bestellung

CAFM: Facility Management

Ablösung durch SAP

18International HERUG 2014, IAM @ FU Berlin

Consequences of pervasive SAP Use:We never saw users in such numbers

19International HERUG 2014, IAM @ FU Berlin

Increase of Student Users with SLcM Roll Out

0

5000

10000

15000

20000

25000

30000

35000

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Studenten

Studenten

20International HERUG 2014, IAM @ FU Berlin

Increase of staff and teachers as SAP users

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

ext. Teachers

FU employees

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

FU employees 40 114 239 287 374 435 1306 1912 2391 3378 3394 3425ext. Teachers 750 750 750 800 900 1000 1150 1200Studenten 8936 13966 15848 18443 20747 23707 26568 30000

Total Users 40 114 239 287 10060 15151 17904 21155 24038 28085 31112 34625

21International HERUG 2014, IAM @ FU Berlin

Challange: External Teachers not documented in HR

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

ext. Teachers

FU employees

2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

FU employees 40 114 239 287 374 435 1306 1912 2391 3378 3394 3425ext. Teachers 750 750 750 800 900 1000 1150 1200Studenten 8936 13966 15848 18443 20747 23707 26568 30000

Total Users 40 114 239 287 10060 15151 17904 21155 24038 28085 31112 34625

22

Onboarding & Authorization(legacy architecture)

International HERUG 2014, IAM @ FU Berlin

CUA SLcMHIS

HR

FUDIS(FU Account)

Students

Employees

Business PartnerStudent User

User

Ext. TeachersUser

Personnel Data

FI

User

SAP Web

User

Teachers

Employees

Students

Dep

artm

ents

SAP Admininstration

Personnel

Data

Identity Data

AuthorizationData

Authoriz.

Authoriz.

Aut

horiz

Aut

horiz

Aut

horiz

23International HERUG 2014, IAM @ FU Berlin

IT:„Something has to

be done !“

24

Implementation of new Identity and Access Management

Top 1:New Onboarding Architecture(Proof of Identity)

International HERUG 2014, IAM @ FU Berlin

25International HERUG 2014, IAM @ FU Berlin

Proof of Identity at Universities

Gudrun

26International HERUG 2014, IAM @ FU Berlin

The of External Teachers

27International HERUG 2014, IAM @ FU Berlin

The of External Teachers

Elections

Masterdata

Course Planning

Capacity Planning

28International HERUG 2014, IAM @ FU Berlin

2011 – 2013 Reimplementation of Academics Dataflow

Improvement of data quality

Avoiding of duplicates

Reduction of user accounts to the needed number

29

Distributed Master Data Management(legacy architecture)

International HERUG 2014, IAM @ FU Berlin

User

SLcM

Teacher Data

HCM

User

Personnel Data

User

Evento

Teacher Data

Ext. Teachers

FUDIS(FU Account)

Academic Employees

Faculties Central HR

30International HERUG 2014, IAM @ FU Berlin

Gudrun

31International HERUG 2014, IAM @ FU Berlin

Masterdata where?

EVENTOHCM

SLcM FUDISCRM

32International HERUG 2014, IAM @ FU Berlin

Masterdata who?

Central HR Dept

Faculties

33

Improvement of data quality

International HERUG 2014, IAM @ FU Berlin

FUDIS

FU Account

Ext. Teachers

HCM

Academic Employees

Central HR

FacultiesWebDynpro

34International HERUG 2014, IAM @ FU Berlin

35International HERUG 2014, IAM @ FU Berlin

Teaching

36International HERUG 2014, IAM @ FU Berlin

Teaching

Employed Non Academics

Employed Academics External Teachers

Associate Professors

37International HERUG 2014, IAM @ FU Berlin

Employed Academics

External Teachers

Associate Professors

38

The Introduction of the Central Person

International HERUG 2014, IAM @ FU Berlin

Central Person # 1

HCM Person # 2 HCM Person # 3HCM Person # 1

Marcus MillerExternal Teacher

Marcus MillerEmployed Academic

Marcus MillerAssociate Professor

39International HERUG 2014, IAM @ FU Berlin

Initial Master Data Migration FUDIS => HCM

FUDIS

9300 Teacher-Ids

2300 Ext. Teachers

HCM

2400 Inactive Teacher-IDs

3100 (Academic) Employees

1500 Both: Employees and Ext.Teachers

40

Avoiding of Duplicates

International HERUG 2014, IAM @ FU Berlin

FUDIS

FU Account

Ext. Teachers

HCM

Academic Employees

Central HR

Faculties

Central Person

Duplicate Check

Duplicate Check

User

SLcM

Teacher Data

User

Evento

Teacher Data

41International HERUG 2014, IAM @ FU Berlin

Active Teachers?

Employed Academics

Teaching Contract

Period of the contract

ExternalTeachers

Teaching contract for single

courses

SemesterExt. Teachers

HCM

List of coursesper semester

Academic Employees

Hire Fire Dates

Who?

Why?

When?

How?

42

Reduction of user accounts to the needed number

International HERUG 2014, IAM @ FU Berlin

Ext. Teachers: 2300

HCM

2400 Inactive Teacher-Ids

(Academic) Employees: 3100

Both: 1500

Activity Control

3700

Ext. Teachers: 800

HCM

Academic Employees: 2400

(Teaching) Employees: 500

April 2013: 6900April 2014:

43International HERUG 2014, IAM @ FU Berlin

A Matter of Perspective

I‘m going to teach soon, therefore I am

I still need to grade,therefore I am

44International HERUG 2014, IAM @ FU Berlin

Masterdata where?

EVENTOHCM

SLcM FUDISCRM

Was the decision for HCM a good one?

45International HERUG 2014, IAM @ FU Berlin

Activity Matrix

Interface to Group Before Course

After Course

After hiredin HCM

After firedin HCM

SLcM Employed (Academics) 3 month 7 month

Associate Professors 7 month

External Teachers 6 month 7 month 7 month

Academic Supervisors 12 month

Evento Employed (Academics) 3 month

External Teachers 6 month 7 month 7 month

IDM Employed (Academics) 7 month

Associate Professors 7 month

External Teachers 6 month 7 month 7 month

Academic Supervisors 12 month

HCM has to define and provide the acticity period of the teachers for other systems. It offers no standard functionality for this.

The function that computes the activity of a teacher has to be implemented in all the reporting, the web dynpros for teachers, the interfaces and the query tools.

46International HERUG 2014, IAM @ FU Berlin

Structured Information about Teachers for IDM

Past Members

for…MonthActive Members

of FU

Future Members

for… Month

7 Employed Academics -

7Employed Non

Academics teaching -

7 Associate Professors -

7 External Teachers6

- Academic Supervisors -

47

Implementation of new Identity and Access Management

Top 2:Introduction of Roles(Characteristics of Identity)

International HERUG 2014, IAM @ FU Berlin

48

Authorization before …

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

AuthorizationAuthorization

Authorization

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

Authorization

International HERUG 2014, IAM @ FU Berlin

49

Introduction of Roles

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

AuthorizationAuthorization

Authorization

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

Authorization

International HERUG 2014, IAM @ FU Berlin

50

Introduction of Roles

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

AuthorizationAuthorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization

Authorization Authorization

AuthorizationAuthorization

Authorization

Group 1

Group 2

Group 3

International HERUG 2014, IAM @ FU Berlin

51

Introduction of Roles

Group 1

Group 2

Group 3

Business Role 1

Business Role 2

Business Role 3

International HERUG 2014, IAM @ FU Berlin

52

Role Approval Workflow

Authorization

User Applicant

IdM

Key User

ok

Application

International HERUG 2014, IAM @ FU Berlin

53International HERUG 2014, IAM @ FU Berlin

Did it help ?

54International HERUG 2014, IAM @ FU Berlin

Identity Management at work:

Gudrun BuchholzDr. Christoph Wallelectronic Administration and Services

Strategic Goals reached with the new IAM

Information online available about who has which rights in what system since when and awarded by whom

Comprehensive offer of information

Web based role request and provisioning Mobile Information

Trans-departmental process of onboarding with single point of entry for informationSmarte Processes

Automated process of user deactivation upon end of employee status Secure data

No more fees for licenses for inactive usersSustainable use ofressources

International HERUG 2014, IAM @ FU Berlin

56International HERUG 2014, IAM @ FU Berlin

Dr. Christoph WallDirector administrative IT-Services  Boltzmannstraße 1814195 BerlinGermanyTel: +49 30 838 58000Web: www.fu-berlin.de/eas

Gudrun BuchholzTeam Lead HCM-Services  Boltzmannstraße 1814195 BerlinGermanyTel: +49 30 838 54764Web: www.fu-berlin.de/eas