Project Plan OneIT – Identity and Access Management – Sub-Plan 3 Page 1 of 5 Details Project Name: OneIT – Identity and Access Management Sub 3: Iowa Domain Credential Management Project Team Leads: Mike Noel, Brandon Mills, Jordan O’Konek Project Manager: Kris Halter TeamDynamix Project Number: 241151 Project Overview (What is going to be accomplished) The purpose of this IAM subproject is to enhance, extend, and streamline the Iowa Domain Credential Management capabilities. It includes three main components: 1. Extend IAM to support UNIX systems including Active directory, administrative tools and processes. 2. Implement Active Directory-Oracle password synchronization. 3. Simplify and Automate HawkID and Service ID Management Unix System AD Iowa Domain Support The campus Active Directory forest Iowa domain serves as the engine for enterprise authentication (HawkIDs). It is primarily used as a secure environment for Windows servers, PCs, and Macintosh computers. This project is about extending the Active Directory infrastructure and data management processes to include support for Unix systems (servers and workstations) by including the essential Unix-related attributes related to the security of logins and file infrastructure permissions. • Unix systems will be able to authenticate and authorize users against the Iowa Domain HawkIDs. • Unix systems will be able to leverage the automated enterprise provisioning/de-provisioning of HawkIDs, group membership and other attributes in AD to improve account management throughout the account life cycle. • Administrative layer required for each Unix system will be greatly reduced. Currently, each Unix administrator must manually assign their own UID and GID values. These values provide core security of the file systems. Because the assignment of the values are not coordinated across campus, files cannot easily be shared across the Unix systems. The enterprise solution will be to use the Iowa domain as the authoritative source for UID and GID and other key attributes for use in the Unix systems. Aligning the Unix systems with the enterprise Identity management will allow automatic provisioning/de-provisioning of accounts and tighter login controls. It is expected that there will be ~2000 Unix systems from CLAS, Engineering, ITS, and Research Labs that will take advantage of the Unix/AD integration. In addition, Unix IDs and attributes will be made available for management of Unix systems in the healthcare domain. Legacy processes to manage HawkIDs and service-related groups are largely based on batch processes and scripts. The AD Unix integration requires more real-time and responsive processes. An important part of this sub-project component is the development of a new Active Directory Credential Management Engine
5
Embed
Project Plan - University of Iowa · PDF fileProject Plan OneIT – Identity ... Identity and Access Management – Sub-Plan 3 Page 4 of 5 Project Schedule ... 25% FTE @ $65/hr =...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Project Plan
OneIT – Identity and Access Management – Sub-Plan 3 Page 1 of 5
Details
Project Name: OneIT – Identity and Access Management Sub 3: Iowa Domain Credential Management Project Team Leads: Mike Noel, Brandon Mills, Jordan O’Konek Project Manager: Kris Halter TeamDynamix Project Number: 241151
Project Overview (What is going to be accomplished)
The purpose of this IAM subproject is to enhance, extend, and streamline the Iowa Domain Credential Management capabilities. It includes three main components:
1. Extend IAM to support UNIX systems including Active directory, administrative tools and processes. 2. Implement Active Directory-Oracle password synchronization. 3. Simplify and Automate HawkID and Service ID Management
Unix System AD Iowa Domain Support The campus Active Directory forest Iowa domain serves as the engine for enterprise authentication (HawkIDs). It is primarily used as a secure environment for Windows servers, PCs, and Macintosh computers. This project is about extending the Active Directory infrastructure and data management processes to include support for Unix systems (servers and workstations) by including the essential Unix-related attributes related to the security of logins and file infrastructure permissions.
• Unix systems will be able to authenticate and authorize users against the Iowa Domain HawkIDs. • Unix systems will be able to leverage the automated enterprise provisioning/de-provisioning of
HawkIDs, group membership and other attributes in AD to improve account management throughout the account life cycle.
• Administrative layer required for each Unix system will be greatly reduced.
Currently, each Unix administrator must manually assign their own UID and GID values. These values provide core security of the file systems. Because the assignment of the values are not coordinated across campus, files cannot easily be shared across the Unix systems. The enterprise solution will be to use the Iowa domain as the authoritative source for UID and GID and other key attributes for use in the Unix systems. Aligning the Unix systems with the enterprise Identity management will allow automatic provisioning/de-provisioning of accounts and tighter login controls. It is expected that there will be ~2000 Unix systems from CLAS, Engineering, ITS, and Research Labs that will take advantage of the Unix/AD integration. In addition, Unix IDs and attributes will be made available for management of Unix systems in the healthcare domain. Legacy processes to manage HawkIDs and service-related groups are largely based on batch processes and scripts. The AD Unix integration requires more real-time and responsive processes. An important part of this sub-project component is the development of a new Active Directory Credential Management Engine
OneIT – Identity and Access Management – Sub-Plan 3 Page 2 of 5
(ADME) for provisioning/de-provisioning. ADME is critical to the core identity and access management architecture and replaces multiple legacy scripts and processes. Active Directory-Oracle Password Synchronization The Microsoft Identity Manager (MIM) product includes the Password Change Notification Service (PCNS) that synchronizes user password changes across multiple identity stores. In this component of the sub-project, PCNS will be deployed to synchronize Active Directory HawkID passwords for selected Oracle user and administrator accounts. This greatly simplifies the login process for those users and allows Active Directory to manage more of the identity lifecycle process. This component is dependent on implementation of a version of MIM PCNS that is supported with the domain controllers in the UIOWA forest (Windows 2012 R2). Simplify and Automate HawkID and Service ID Management HawkID Management HawkIDs for students, alumni, retirees, and terminated employee populations are collected and managed programmatically. HawkIDs for current employees are currently managed differently and require manual administrator intervention as they are moved through a series of OU locations. The first component of this project is to automate and simplify the management of employee IDs in and out of administrative unit OU. ITAdmins will no longer have to move each HawkID from ou=inbound to ou=users to ou=outbound. This model has been successfully piloted with these units: CLAS, Graduate College, and UI Healthcare. It will be phased in to all orgs, with Housing being next. The new process allows ITADmins to continue to manage local access assignments through group memberships. By automating the HawkID administrative unit OU process and flattening the OU structure will provide the following improvements:
Reduction in ITAdmins support effort in moving HawkID inside ~600 org and departmental level OUs.
Better management of identity lifecycle especially de-provisioning at termination reducing institutional risk and audit concerns.
A potential second follow on phase of this sub-project component would be to enhance the employee provisioning process into a central OU, similar for how we administer students, retirees, and other managed groups. Employee HawkIDs could be automatically provisioned into the employee OU and then ITAdmins would continue to manage account access through local group membership. Improvements gained in this follow on phase include:
Further simplifying and standardizing the HawkID provisioning process
Eliminate special handling required for persons with multiple appointments
Remove fragile legacy provisioning scripts Service ID Management Extend centralized account management process and tools to service IDs so all account creation is managed through a single set of tools. Currently ITADmins are given elevated rights to create local service IDs through the Microsoft AD administrative tools. Auditors have noted that this is a risk in several audits. If both HawkID and Service IDs are managed through the same process and underlying tool, the process can be simplified, more secure, and enhanced to ensure that the integrity of HawkIDs are maintained.
OneIT – Identity and Access Management – Sub-Plan 3 Page 5 of 5
Risk Management Plan
Risk Number
Risk Description Likelihood (H,M,L)
Impact (H,M,L)
Mitigation Strategy
1 Retaining existing ILUG LDAP servers M L Work with ILUG leadership
2 MIM Implementation stability and PCNS implementation issues
M M Alt. Password Sync Solution
3 Adoption of Employee Auto-provisioning M M Work with ADEAs to influence IT Admins. Involve internal auditors
4 Adoption of Service ID Management M M Work with ADEAs to influence IT Admins. Involve internal auditors
Issue Tracking and Resolution Plan
Issues will be tracked and resolutions captured on the IAM SharePoint site
Metrics / Key Performance Indicators
Number of Unix system that are managed by AD. Number of Oracle Accounts synchronized with AD. Number of Employee HawkIDs that are automatically moved. Number service IDs leveraging new management process.