Gudrun Buchholz
Dr. Christoph Wall
electronic Administration and Services
Therefore IAM
Identity and Access Management
@
Freie Universität Berlin
2
1637
International HERUG 2014, IAM @ FU Berlin
3
2014
International HERUG 2014, IAM @ FU Berlin
4
More typical in administrative environments:
International HERUG 2014, IAM @ FU Berlin
I have a contract,
therefore I am
5
Proof of Identity
International HERUG 2014, IAM @ FU Berlin
6International HERUG 2014, IAM @ FU Berlin
Now after I made sure that I am …
…I need to determine who or what I am.
7
Characteristics
of Identity
International HERUG 2014, IAM @ FU Berlin
8International HERUG 2014, IAM @ FU Berlin
Theoretical Groundwork
"Every thing is what it is, and not another thing."Fifteen Sermons Preached at the Rolls Chapel (1726)
Joseph Butler (1692–1752)
English Bishop and Philosopher
9
More typical in administrative environments:
International HERUG 2014, IAM @ FU Berlin
Characteristics of identity are
determined by roles
10
Why would
anybody in IT
care?
International HERUG 2014, IAM @ FU Berlin
11International HERUG 2014, IAM @ FU Berlin
12International HERUG 2014, IAM @ FU Berlin
The Confederationof independent Systems @ FU Berlin
HR
FI
SLcM
SAP
Web
HIS
Publikations
DB
MyVV
Profil
DB
Black-
board
FU
Portal
eSA
Intranet
Helpline
Aleph
IT-V DB
SBK
VoIP
oRA
BSCW
13International HERUG 2014, IAM @ FU Berlin
Independent Systems @ FUB
HR
FI
SLcM
SAP
Web
HIS
Publikations
DB
MyVV
Profil
DB
Black-
board
FU
Portal
eSA
Intranet
Helpline
Aleph
IT-V DB
SBK
VoIP
oRA
BSCW
Lack of transparency of
system access
- No central documentation
of users and authorizations
Lack of IT-Security
- No conclusice centrally
administered deactivation
of retired staff
Lack of efficiency- User administration needed
in every individual system
14
Integration as central task of IT in HER
„For a long time increase of efficiency was attained by casting processes hitherto
unsupported by IT into hard- and software based systems without much change to
the process in question. Today the focus lies on cross-linking and integration. Thus
integrated information management has become the central task for planning and
deployment of modern information technology at Universities.“
„Informationsverarbeitung an Hochschulen“
Empfehlungen der Kommission für IT-Infrastruktur für 2011 – 2015
Deutsche Forschungsgemeinschaft DFG
(my translation, chw)
International HERUG 2014, IAM @ FU Berlin
15
FUDISFU Directory
Service
SAP
Web
FI
HR
SLcM
HIS
Publikations
DB
MyVV
Profil
DB
FU
Portal
SBK
Aleph
Intranet
Black-
board
oRA
eSA
Helpline
IT-V DBVoIP
BSCW
1st step of Integration: Identity Management
International HERUG 2014, IAM @ FU Berlin
16
Onboarding & Authorization(legacy architecture)
International HERUG 2014, IAM @ FU Berlin
CUA SLcMHIS
HR
FUDIS(FU Account)
Students
Employees
Business PartnerStudent User
User
Ext. TeachersUser
Personnel Data
FI
User
SAP Web
User
Teachers
Employees
Students
Depart
ments
Authoriz.
Authoriz.
Auth
oriz
Auth
oriz
Auth
oriz
SAP Admininstration
Personnel
Data
Identity
DataAuthorization
Data
17
Black-
board
AlephOrg.
Man.
oRA
Info-
DB
oBi
SLcM
Server and Storage
Internet ServicesFUDIS
Networks
ISISIntegriertes Steuerungs Informationssystem
CMS
Extension of SAP Footprint
SAP basiert
FUDIS / IdM
Systeme für Lehre und Forschung:
Info-DBs:
- Forschungsdatenbank
- Profildatenbank
- Publikationsdatenbak
oBi: online Bibliothekssysteme
Aleph: Bibliotheksverwaltung
iLV: Lehr- und Raumplanung
SLcM: Prüfungsverwaltung
SOS: Studentenadministration
ZUL: Zulassungsverwaltung
Blackboard: e-learning Plattform
CMS: FU Webauftritt
Verwaltungssysteme:
CO: Controlling
HCM: Personalsystem (Abrechnung)
Org.
Man.: Organisations Management
(HCM plus Grafiksystem)
oRA: online Rechnungs- und
Auskunftssystem
FI: Finanzbuchhaltung
PSM: Public Sector Management
BIOS: elektr. Warenkorb
CLAKS: Gefahrstoff Kataster mit
Chemikalien-Bestellung
CAFM: Facility Management
Ablösung durch SAP
18
Consequences of pervasive SAP Use:
International HERUG 2014, IAM @ FU Berlin
We never saw users in such numbers
19
Increase of Student Users with SLcM Roll Out
International HERUG 2014, IAM @ FU Berlin
0
5000
10000
15000
20000
25000
30000
35000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Studenten
Studenten
20
Increase of staff and teachers as SAP users
International HERUG 2014, IAM @ FU Berlin
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
ext. Teachers
FU employees
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
FU employees 40 114 239 287 374 435 1306 1912 2391 3378 3394 3425
ext. Teachers 750 750 750 800 900 1000 1150 1200
Studenten 8936 13966 15848 18443 20747 23707 26568 30000
Total Users 40 114 239 287 10060 15151 17904 21155 24038 28085 31112 34625
21
Challange: External Teachers not documented in HR
International HERUG 2014, IAM @ FU Berlin
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
ext. Teachers
FU employees
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
FU employees 40 114 239 287 374 435 1306 1912 2391 3378 3394 3425
ext. Teachers 750 750 750 800 900 1000 1150 1200
Studenten 8936 13966 15848 18443 20747 23707 26568 30000
Total Users 40 114 239 287 10060 15151 17904 21155 24038 28085 31112 34625
22
Onboarding & Authorization(legacy architecture)
International HERUG 2014, IAM @ FU Berlin
CUA SLcMHIS
HR
FUDIS(FU Account)
Students
Employees
Business PartnerStudent User
User
Ext. TeachersUser
Personnel Data
FI
User
SAP Web
User
Teachers
Employees
Students
Depart
ments
SAP Admininstration
Personnel
Data
Identity
DataAuthorization
Data
Authoriz.
Authoriz.
Auth
oriz
Auth
oriz
Auth
oriz
23
IT:
„Something has to
be done !“
International HERUG 2014, IAM @ FU Berlin
24
Implementation of new Identity and Access Management
Top 1:
New Onboarding Architecture(Proof of Identity)
International HERUG 2014, IAM @ FU Berlin
25
Proof of Identity at Universities
International HERUG 2014, IAM @ FU Berlin
Gudrun
26
The of External Teachers
International HERUG 2014, IAM @ FU Berlin
27
The of External Teachers
International HERUG 2014, IAM @ FU Berlin
Elections
Masterdata
Course Planning
Capacity Planning
28
2011 – 2013 Reimplementation of Academics Dataflow
International HERUG 2014, IAM @ FU Berlin
Improvement of data quality
Avoiding of duplicates
Reduction of user accounts to the needed number
29
Distributed Master Data Management(legacy architecture)
International HERUG 2014, IAM @ FU Berlin
User
SLcM
Teacher Data
HCM
User
Personnel Data
User
Evento
Teacher Data
Ext. Teachers
FUDIS(FU Account)
Academic
Employees
Faculties Central HR
30International HERUG 2014, IAM @ FU Berlin
Gudrun
31
Masterdata where?
International HERUG 2014, IAM @ FU Berlin
FUDISCRM
32
Masterdata who?
International HERUG 2014, IAM @ FU Berlin
Central HR Dept
Faculties
33
Improvement of data quality
International HERUG 2014, IAM @ FU Berlin
FUDIS
FU Account
Ext. Teachers
HCM
Academic
Employees
Central HR
FacultiesWeb
Dynpro
34International HERUG 2014, IAM @ FU Berlin
35International HERUG 2014, IAM @ FU Berlin
Teaching
36International HERUG 2014, IAM @ FU Berlin
Teaching
Employed Non Academics
Employed Academics External Teachers
Associate Professors
37International HERUG 2014, IAM @ FU Berlin
Employed Academics
External Teachers
Associate Professors
38
The Introduction of the Central Person
International HERUG 2014, IAM @ FU Berlin
Central Person # 1
HCM Person # 2 HCM Person # 3HCM Person # 1
Marcus MillerExternal Teacher
Marcus MillerEmployed Academic
Marcus MillerAssociate Professor
39
Initial Master Data Migration FUDIS => HCM
International HERUG 2014, IAM @ FU Berlin
FUDIS
9300 Teacher-Ids
2300 Ext. Teachers
HCM
2400 Inactive Teacher-IDs
3100 (Academic) Employees
1500 Both: Employees and Ext.Teachers
40
Avoiding of Duplicates
International HERUG 2014, IAM @ FU Berlin
FUDIS
FU Account
Ext. Teachers
HCM
Academic
Employees
Central HR
Faculties
Central Person
Duplicate Check
Duplicate Check
User
SLcM
Teacher Data
User
Evento
Teacher Data
41
Active Teachers?
International HERUG 2014, IAM @ FU Berlin
Employed
Academics
Teaching
Contract
Period of
the contract
External
Teachers
Teaching
contract for single
courses
SemesterExt. Teachers
HCM
List of courses
per semester
Academic
Employees
Hire Fire Dates
Who? Why? When? How?
42
Reduction of user accountsto the needed number
International HERUG 2014, IAM @ FU Berlin
Ext. Teachers: 2300
HCM
2400 Inactive
Teacher-Ids
(Academic)
Employees: 3100
Both: 1500
ActivityControl
3700
Ext. Teachers: 800
HCM
Academic
Employees: 2400
(Teaching)
Employees: 500
April 2013: 6900 April 2014:
43
A Matter of Perspective
International HERUG 2014, IAM @ FU Berlin
I‘m goingto teach soon, therefore I am
I still needto grade,therefore I am
44
Masterdata where?
International HERUG 2014, IAM @ FU Berlin
FUDISCRM
Was the decision
for HCM a good one?
45
Activity Matrix
International HERUG 2014, IAM @ FU Berlin
Interface to Group Before
Course
After
Course
After hired
in HCM
After fired
in HCM
SLcM Employed (Academics) 3 month 7 month
Associate Professors 7 month
External Teachers 6 month 7 month 7 month
Academic Supervisors 12 month
Evento Employed (Academics) 3 month
External Teachers 6 month 7 month 7 month
IDM Employed (Academics) 7 month
Associate Professors 7 month
External Teachers 6 month 7 month 7 month
Academic Supervisors 12 month
HCM has to define and provide the acticity period of the teachers for
other systems. It offers no standard functionality for this.
The function that computes the activity of a teacher has to be
implemented in all the reporting, the web dynpros for teachers, the
interfaces and the query tools.
46
Structured Information about Teachers for IDM
International HERUG 2014, IAM @ FU Berlin
Past Members
for…Month
Active Members
of FU
Future Members
for… Month
7 Employed Academics-
7Employed Non
Academics teaching -
7 Associate Professors-
7External Teachers
6
- Academic Supervisors -
47
Implementation of new Identity and Access Management
Top 2:
Introduction of Roles(Characteristics of Identity)
International HERUG 2014, IAM @ FU Berlin
48
Authorization before …
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
International HERUG 2014, IAM @ FU Berlin
49
Introduction of Roles
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
International HERUG 2014, IAM @ FU Berlin
50
Introduction of Roles
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
AuthorizationAuthorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization
Authorization Authorization
Authorization
Authorization
Authorization
Group 1
Group 2
Group 3
International HERUG 2014, IAM @ FU Berlin
51
Introduction of Roles
Group 1
Group 2
Group 3
Business Role 1
Business Role 2
Business Role 3
International HERUG 2014, IAM @ FU Berlin
52
Role Approval Workflow
Authorization
User Applicant
IdM
Key User
ok
Application
International HERUG 2014, IAM @ FU Berlin
53
Did it help ?
International HERUG 2014, IAM @ FU Berlin
54
Identity Management at work:
International HERUG 2014, IAM @ FU Berlin
Gudrun Buchholz
Dr. Christoph Wall
electronic Administration and Services
Strategic Goals reached with the new IAM
Information online available about who has which rights in what system since
when and awarded by whom
Comprehensive
offer of
information
Web based role request and provisioningMobile
Information
Trans-departmental process of onboarding with single point of entry for
informationSmarte Processes
Automated process of user deactivation upon end of employee statusSecure data
No more fees for licenses for inactive usersSustainable use of
ressources
International HERUG 2014, IAM @ FU Berlin
56International HERUG 2014, IAM @ FU Berlin
Dr. Christoph WallDirector administrative IT-Services
Boltzmannstraße 1814195 BerlinGermanyTel: +49 30 838 58000Web: www.fu-berlin.de/eas
Gudrun BuchholzTeam Lead HCM-Services
Boltzmannstraße 1814195 BerlinGermanyTel: +49 30 838 54764Web: www.fu-berlin.de/eas