UW Identity & Access Management Initiative Update
ACT, February 13, 2009Keith Hazelton
Pam Allen
Agenda
• Review of the New Affiliation Governance Keith• Update on the IAM Project Pam
3
P1 Identity Management
Identity Life CycleAccount ProvisioningIdentity ReconciliationDelegated AdministrationWorkflowLogging, Auditing, Reporting
P2 Directories Identity administrationFoundation for Access Manager Database End User Security
P3 Access Web authentication AuthorizationAccess Policy ManagementLogging, Auditing and Reporting
P4 Federation Access to external services
Service Expansion
5
P1 - Identity Manager What We Said:
• 12 week engagement – Production Pilot– Started Nov. 10– 4 week planning & design– 8 week implementation– Candidate Application – Shared Financial Systems
• Financial system of record for all UW System campuses• Primary business functionality – authorization
workflow and account provisioning, Logging, auditing, reporting
6
SFS
Paper Authorization form
Business Unit /Employee
Approvers
DoIT Security
IAAAuthoritative Sources
Automated Account and default role assignments(PeopleCode)
Additional Manual Role Assignment and de-provisioning
Manual Auditing
Identity Management Capability Method
Identity and Role Lifecycle Management
Automated
Account Provisioning/De-provisioning Automated/Manual(Automated: Account and default roles, manual: additional role assignments)
Delegated Administration Manual
Automated Workflow Manual
Identity Reconciliation Automated
Identity Audit (including attestation) Manual
Self Service, Self Registration Manual
Shared Financials – Current Situation
SFS
Automated Workflows
Business Unit /employee
Approvers
DoIT Security
OIMAuthoritative Sources
IAA
Automated Auditing,Reporting and Attestation
Automated provisioning of account and role assignments
Shared Financials – Potential Future with Oracle Identity Manager (OIM)
Identity Management Capability Method
Identity and Role Lifecycle Management Automated thru OIM
Account Provisioning/De-provisioning Automated
Delegated Administration Automated
Automated Workflow Automated
Identity Reconciliation Prior to IAA
Identity Audit (including attestation) Automated
Self Service, Self Registration Automated (Employee fills in form)
Shared Financials – Potential Future with Oracle Identity Manager (OIM)
P1 - Identity Manager What Happened:
• 12 week engagement – Production Pilot– Started Nov. 10√– 4 week planning & design √
• Deliverables: SFS Requirements, Framework Design
– 8 week production implementation No
• Revised Scope– Build out the framework in the development environment– Build demonstration for SFS
9
P1 - Identity Manager What We Learned
• Application– A big first implementation– Customer prioritization of project– Business processes need to be reviewed and
potentially re-engineered– Level of provisioning required: Many PeopleSoft Roles
• Application – Module – RoleShared Financials - Core Financials - AR Inquiry
– Multiple approvers – complicated business logic– Lack of automated organization chart
10
What We are Doing
Framework
SFSDev Environment
Building GenericMulti-Approver Workflow
Business Unit /employee
Approvers
OIMAuthoritative Sources
IAA
Trusted ReconciliationConnector Storing IAA Data in OIM Format
PeopleSoftConnector for SFS
Allow for Application/Module/Roles
Building logic to detect changes in attributes that result in changes to entitlements
Demonstration
Next Steps
• Use what we’ve learned from OIM
• Proceed with the Roadmap – Work with Oracle Virtual Directory and Oracle
Access Manager
Q and AQ and A
Discussion
IAM Stakeholder wiki page:https://wiki.doit.wisc.edu/confluence/display/IAMP/IAM+Stakeholders
14