Novell® Identity ManagerIt’s Not Just about Identity Management Anymore!

Steve WhickerManager – Security ComplianceAHIS – Central RegionSt Vincent Healthsawhicke@stvincent.org

Sarah HetrickSr Technical EngineerAHIS – Central RegionSt Vincent Healthsehetric@stvincent.org

© Novell, Inc. All rights reserved.2

Identity Management Goalsat St. Vincent Health• Enable regulatory compliance (HIPAA) and internal controls

in IS security processes • Reduce operating costs through user account provisioning

(process automation) and sharing common infrastructure components

• Decrease corporate exposure by reducing the risk of unauthorized access to data & automating enforcement of security policy

• Improve associate satisfaction by automating online HR benefits management

• Improve data integrity by decreasing duplicative identity data stores and manual data entry processes

• Improve the quality of services provided by IS

© Novell, Inc. All rights reserved.3

• HIPAA• Unique user identification requirements

• Access Control Requirements

• Auditing Requirements

• Minimum Necessary Requirements

• Enterprise Role-based Access Control (RBAC) model

• Auditing / Reporting

• Automate Manual Security Policies

• Automate Identity Management (Create, Modify, Delete)

• Automate Roles Based Access Control

• Automate Workflow Approval, Denial

Regulatory Compliance Security

• Reduce Manual Admin via automated account provisioning

• Manage online HR Benefits

• Set up Foundation for Expanded Services

• Improve Data Accuracy

• Leverage Current Investments

• Provide Password Reset Self Service

Efficiency / Cost

St. Vincent Health’s Identity Management Drivers

© Novell, Inc. All rights reserved.4

Where We Started (July 2005)

• Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo)

• Two separate and overlapping access request processes for identity and access management (ID Request & IS Request), made it difficult to centrally manage the access request and change logs

• Identity creation and management was a manual process

• No centralized process to document request completion

• No formal validation process to verify the authenticity of requesting manager

• Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user

• De-provisioning process was not consistently followed

• No user entitlement matrix existed

© Novell, Inc. All rights reserved.5

Our Identity Management Roadmap

Governance, Organizational Change Management and Communication

Enha

nced

Pr

ovis

ioni

ng

Des

ign

and

Impl

emen

tatio

n

Dire

ctor

y In

fras

truc

ture

R

eadi

ness

Rol

e B

ased

Pr

ovis

ioni

ng D

esig

n an

d Im

plem

enta

tion

Bus

ines

s an

d O

ngoi

ng

Supp

ort

Implement Universal Password

Upgrade Existing Drivers to IdM2

Enable Bi-Directional

Creates Upgrade NT

Domains to AD

Identify Audit Needs

Design Auditing and

Reporting

Role Definition and Mapping

Audit Logging ( enable real time logging with appropriate systems)

Implement Audit

Provision users to additional systems

Implement Role based access and

provisioning

Document Identity Management Requirements

Document Web based Provisioning

Workflow Requirements

Enhance Existing Connectors and

Implement

Implement PeopleSoft Connector Implement Web

Based Provisioning

Workflow

Implement Password Self

Service

Consolidate File Services Trees

Design Enhanced Identity Management

Design Web based Provisioning Workflow

Audi

ting

and

Rep

ortin

g

Skill Assessment

Process Analysis and

Design

Skills Development and Training

Ongoing Maintenance and Support

Design Role based

provisioning

Document Role based provisioning requirements

© Novell, Inc. All rights reserved.6

Identity and RequestManagement Portal

IDVIdentity Management Portal

IND1

STVLDAP

National AD / Exchange STVNET

Vistar

STVI Windows

Windows

Windows

Windows

Biztalk DataWarehouse

Windows

© Novell, Inc. All rights reserved.7

Process perfomed for each application requested

Non

-Sys

tem

Pro

cess

esP

eopl

eSof

tH

RM

SW

orkf

low

Pro

cess

eseD

irect

ory™

(ID

V)

eDire

ctor

y(S

TVI &

SV

HLD

AP

)

Act

ive

Dire

ctor

y(IN

D1)

Act

ive

Dire

ctor

y(S

TVN

ET)

Oth

er A

pplic

atio

ns

1. HR/manager is notifiedof new hire (associate/

non-associate)

Start 1

2. HR/manager entershire data into PS(associate / non-

associate)

3. All required attributedAre available and

PeopleSoft effectivedate has transpired

4. Is this anew Identity?

5a. Identity Managerdetermine unique

Login ID

6. Identity Managercreates and places

the Identity

13. Identity Managergenerates workflow &email notify for defaultapplications per rules

11. Identity Manageremails manager of

new hire

14. WFapproved byapprover?

15b. Applicationsupport checks queue

16. Application supportdetermines access rights

17. Application supportcreates Identity and

access rights

7. PeopleSoft isupdated with LoginID & email address

8b. Identity Managercreates Identity in

SVHLDAP

8a. Identity Managercreates Identity in

STVI

9. Identity Managercreates Identity IND1

10. Identity Managercreates Identity STVNET

5b. Go toModify UsersProcess Box

#4

12. Go toModify UsersProcess Box

#10b

20. User and Managerreceives notification that

application has been granted

19. Workflowgenerates email

notifications

18. Applicationsupport approves

WF

15a. Create newuser account automatically

NoYes

Yes for nonconnected

system

Yes for connected system

Yes

Managerrequests

additional Apps via WF

Hiring Process

© Novell, Inc. All rights reserved.8

Non

-Sys

tem

Pro

cess

esP

eopl

eSof

tH

RM

SW

orkf

low

Pro

cess

eseD

irect

ory™

(ID

V)

eDire

ctor

y(S

TVI &

SV

HLD

AP

)

Act

ive

Dire

ctor

y(IN

D1)

Act

ive

Dire

ctor

y(S

TVN

ET)

Oth

er A

pplic

atio

ns

1. Manager is notified of a termination event for

associate or nonassociate

Start 1

2. Data is entered intoPeopleSoft HRMS

3. IDM Updates User data inIDV. disables account & moves

user to the inactive container

4a. Is this an ano show hire?

15. Managerreceives notification

13. Application support adminsdisable/delete user manually

in other application(s)

1b. HR Service Center isnotified of termination

event for associate or nonassociate

Start 2

1c. Termination is initiatedthrough VISTAR feed

Start 3

4b. Routes terminationWF request to all app

security admin(s)

5. Server team is email notified that theuser never showed up for work, research isdone, accounts may be deleted manually,

instead of just disable automatically

11. All application support admin(s)are notified via email of a terminationworkflow task to be completed afterthey disable or delete the account

14. Workflow generatesemail notifications

13.Application Support

Approves WF

6. IDM Updates User data inSTVI. disables account & moves

user to the inactive container

7. IDM disables Groupwiseuser and sets visibility

to note

10. IDM deletes useraccount in SVHLDAP

8. IDM Updates User data inIND1. disables account & moves

user to the inactive container

9. IDM deletes useraccount in STVNET

Yes

Termination Process

© Novell, Inc. All rights reserved.9

Other Processes Handled

• Renames (Name Changes)

• Business Unit Changes

• User Data Changes

© Novell, Inc. All rights reserved.10

Automated Escalation Process Insures Customer Request Are Not Lost

ApplicationOwner

Escalate toOwner's Mgr

2nd Escalation toOwner's Mgr

1d2d Denied

3d4d Denied

5d6d Denied

Start

Finished

Time Out

Time Out

Time Out

Log for alldenied activitiesIDM

Entitlementis granted

Could takeup to 6 days

Initiated by Manager toGrant application for End User

* indicatescompletion

of work

Approved *

Approved * Approved *

© Novell, Inc. All rights reserved.11

Service Request Management

• Replaced existing Information Services Request (ISR) System

• Provides three different workflow processes– Catalog Equipment Order– Equipment Moves & Removals– Professional Services (Including Projects)

• Utilized management hierarchy to route approvals• Ties Identity and Request Management (IDRM) to

the ticketing system – Currently a manual connection– Future connection will be automated using SOAP

© Novell, Inc. All rights reserved.12

Professional Services Workflow

PSP Request Initiated

Manager Approval

IS Tuesday / ThursdayGroup Reviews Request

Project?

E-mail to Services Deskwith request information

for ticket creation

RequiresAssessment?

Assign toAppropriate team

Assign team forevaluation

Request discussed withRequested Approving

Manager

Manager OKwith Cost?

RequestTerminated

Start ProjectWorkflow Process

FinishTicket number is

entered into IDRMRequest and closed

E-mail to requesterwith status andTicket Number

© Novell, Inc. All rights reserved.13

Self-Service Password Reset

• Provides user the ability to reset their own password anytime any place

– At work

– At home on portals

• Reduces Helpdesk calls

• Provides for positive validation of user identity through “Challenge and Response” Questions

• Easily integrates with current systems

© Novell, Inc. All rights reserved.14

Lessons Learned

• Know and thoroughly document your environment• Assume nothing

(verify things actually work as advertised)

• Understand the organizations business processes– Talk to the users and understand yours and their

business processes

• Cooperation and involvement of Human Resources is vital

• Have a viable test environment• Be prepared for problems

© Novell, Inc. All rights reserved.15

What’s Next?

• Install the Roles and Provisioning Module

– Upgraded version of the User Application

• Role Based Provisioning Design and Implementation

Demonstration

Questions?

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.