Embed Size (px)
Citation preview
From Directory Steering to Identity Governance
Experiences at CU-Boulder
From Directory Steering to Identity Governance
Experiences at CU-Boulder
DogDog
SummarySummary
What we called Directory Steering at the time was really Enterprise Identity Management.
ConclusionsConclusions
There are two types of IdM governance.
IdM governance activities happen in flurries related to specific projects. This is not ideal.
2001 Directory Project2001 Directory Project
Steering Team Member Criteria:
Policy maker at campus or system level
AND/OR
Knowledge expert in how University conducts business
Task: Directory PolicyTask: Directory Policyhttp://www.colorado.edu/its/directoryservices/documents/policy.html
Establishes
– Directory Governance ;
– Official Data Sources (the information systems from which the Directory will extract its data, create entries, and update entries, and upon which it will base its reconciliation) ;
– Directory Inclusion (categories of people who will be included in the CU-Boulder Directory) ;
– Directory Use (privacy requirements; who may have authenticated access to the Directory; who may pull data from the directory and for what purposes; and who must use the Directory)
Task: AffiliationTask: AffiliationAffiliation describes an individual’s
relationship with the university.
Affiliation will be used for two primary purposes:
To determine whether services should be granted to the user (check performed via a directory-enabled system)
To determine what information should be displayed and/or made public for the individual associated with the entry.
Affiliation
DISPLAY/QUERY
Admitted Student Confirmed Student Parent?
Student Staff Faculty Student Employee Retiree
Employee Spouse Alum Sponsored
vendor? contractor? visiting faculty?
Directory-onlyConference Attendee
SERVICE
And Even…And Even…dir list
email idkey
lab AD modem
dhcp Webhost
acct ememo
library idcard RTD recctr other special conditions
ContEd noncredit[1]
no no no no[2] no no no? no? no no yes[3] no[4] no[5]
yes PLUS;web ct[6]
current enrollment
campus ministries
no yes/no
yes/no
no no yes/no yes/no
yes/no
no no no yes no no special id card
clubs/orgs[7] no yes/no
yes/no
no no yes/no yes/no
yes/no
no no no no no yes ucsu-reg if stdent org. Expire date
conference attendee[8]
no yes/no
yes/no
yes/no[9]
yes/no
yes/no yes/no
no no no yes yes[10]
no yes web CT, wshc
short term service
vendor/contractor
no yes/no
yes/no
yes/no yes/no
yes/no yes/no
no no no no yes/no(special)
no no svcs vary by ven.; expire per vendor.
CU Agency list[11]
yes/no
yes/no
yes/no
yes/no yes/no
yes/no
yes/no
yes/no
no yes/no
yes/no
yes/no no yes/no
alumni no (addr)
no no no no no no no no yes[12]
no no yes[13]
PLUS
Foundation Staff
yes no no no no no no no no yes yes yes no yes
Ongoing GovernanceOngoing GovernanceStructural and Logistical
Prioritization of new development
Review of data use requests (ie. Photo Class Rosters)
New application access to Registry data
“Local” vs. “Enterprise” identity data: Application specific extensions to directory.
New Process and Policy
Evolving groups, roles, and affiliations
Delegated administration
Non-person identities
Multi-campus identities and federated between campuses and entities external to the university.
WhenWhen
Ad-hoc as needed to resolve issues related to specific projects (eg. desire for new “sponsored” affiliation type to support a new departmental application).
May get bypassed because issue “not worth effort.”
Discussion PointsDiscussion PointsShould the Structural/Logistical issues be addressed by same governance as policy and process issues (are they so intertwined that the structural issues can’t be pure IT design and management concerns)?
The right balance for governance: – Frequent, regular involvement in the identity implications
of any and all on-going projects.– Very infrequent high-level policy making, leaving the
details to business process and application owners.
