"Identity management has the potential to help individuals and organizations form trusted communities based on varying degrees of identity exposure and mutually agreed accountability, while helping exclude unwanted intruders or inappropriate membership." –U.S. Cyberspace Policy Review, requested by President Barack Obama
Status (November 2009)
The Identity and Access Management (IAM) project response to the 200-45 Administrative Computing Policy is in the process of being posted for standard review. An addendum addressing the use of Kuali workflow has been added to the response. If you are interested in reading or providing feedback on the project, please go to http://admincomputing.ucdavis.edu/.
In late October, the IAM team presented at a series of Accounting and Financial Services annual administrative officer update meetings for both the campus and health system. The project team provided an overview of the service and how it will affect various departments. The team also gave an informational update at the Senior Advisor’s meeting.
The project team has documented current and future workflows and is close to completing the planning phase. Execution of the project plan will begin soon after. The project team expects phase one to be completed in spring 2010. A project roadmap and timeline can be located on the project wiki. For more information, contact Gastón De Ferrari, project manager, at gdeferrari@ucdavis.edu.
Identity and Access Management benefits
Identity and Access Management is the central repository that reconciles and stores key attributes that define a person’s affiliation with UC Davis. The new system creates a unique record for each faculty, staff, student, and other campus affiliates and provides the campus with an authoritative source of identity data. IAM will help users, departments and system administrators keep track of and extract information (i.e., name, employee ID, address, work and personal phone numbers, department name, job title, etc.)
The Identity and Access Management project represents the first significant joint project between the main campus and the health system. The campus benefits from the IT and business expertise and collaboration of both organizations, with the vision and executive guidance of:
- Michael Allred, Associate Vice Chancellor and Finance/Controller,
- William McGowan, Chief Financial Officer, UCDHS,
- Michael Minear, Chief Information Officer, UCDHS and
- Peter M. Siegel, Vice Provost and Chief Information Officer.
A joint IAM system will allow the campuses to share information and resources including the cost of implementation. The project team solicits feedback and expertise from various schools, colleges and administrative departments.
Many departments will increase their productivity and efficiency by decreasing the need for staff to reconcile duplicate and erroneous electronic identity records. For example, Transportation and Parking Services (TAPS) will save 250+ hours of processing time on their data bases and roughly 60-80 hours of staff time per year. IAM also greatly reduces the costs for managing current and future applications and helps to eliminate duplicity of work among departments and staff.
Many health system staff require access to multiple systems containing various patient medical records. It is common for some employees to have 15 or more different login credentials. IAM creates a single database for identity information and reconciles multiple identities into one per person regardless of the number of systems that person can access. IAM, combined with a new health system single-sign on application, provides health system staff with a dramatic reduction in the number of passwords they need to remember as well as the amount of time spent logging into various systems.
The project replaces many outdated technologies, often deployed within legacy applications. This modern technological foundation is critical for UC Davis; many new security and privacy rules call for increasingly sophisticated controls for technology access and audit trails.
UC Davis’s IAM integrates with national and emerging international identity federations to facilitate access to outside services, including: collaboration and research administration tools from federal agencies such as the National Institutes of Health and the National Science Foundation; business efficiency tools such as UC’s Connexxus travel reservation system; and emerging research computing grid and cloud computing resources.
IAM mitigates the campus and health system’s exposure to increased privacy risks due to staff having multiple and conflicting access to personal information. IAM increases privacy protection of identities and other confidential data through the use of Role Manager, a tool that manages the level of access allowed to campus members. Role Manager keeps track of who has access to personal information, and if an employee leaves or changes duties, the system automatically removes or changes that person’s access for all systems in a timely manner. IAM functions as a central repository, diminishes privacy risks, and reduces the chance of multiple and conflicting access to information.
UC Davis relies on research and analysis of current and historical information snapshots and statistics of student, course, instructor and employment data to make strategic decisions for the campus. The data used to make such decisions needs to be accurate and easily accessible. Instead of gathering information from various identity sources like Banner, PPS and Active Directory and trying to reconcile discrepancies, the identity and access management system functions as the single source of information which will help ensure the data is definitive.
Background
UC Davis and the UC Davis Health System have a diverse combination of departments, schools, and colleges, each of which strives to maintain and foster a high level of education and research. The many state-of-the-art services keep the IT departments on both campuses challenged to maintain and improve usability and access while ensuring infrastructure and security. To a large degree, the usability, accessibility, and security of the various systems rest heavily on the ability to manage users’ digital identities—be they doctors, nurses, faculty, staff, alumni, donors, research and business partners or affiliates. Digital identities must be managed effectively in order to authenticate each user and authorize access to specific data.
There are many challenges with managing multiple systems—controlling access to the various networks, maintaining a consistent user identity, and integrating new systems into the existing network are but a few. The Davis and Sacramento campuses combined, have more than 400 applications. With the current decentralized log-in technologies (delivered within each software application), it is common for users to have to use and remember 15 to 30 different passwords. As the project proceeds, UC Davis staff will eventually see a dramatic reduction in computer passwords.
The lack of a centralized management system increases the cost to deploy and maintain new and existing systems as well as expose the entire network to security issues. The joint strategy developed by both campuses will enable UC Davis to better manage the broad range of supported digital identities.
Groups to be consulted
- Academic Senate
- Administrative Services IT Coordinating Council
- Campus Council for Information Technology (CCFIT)
- Council of Deans and Vice Chancellors (CODVC)
- Deans’ Technology Council (DTC)
- Health System IT Oversight Committee
- Senior Advisors
- Technology Infrastructure Forum (TIF-Infrastructure, TIF-Client Services Issues, TIF-Security)
- Technology Support Program (TSP)
- The University of California, Davis Administrative Management Group (ADMAN)
Resources and additional information
- TSP meeting - June 11, 2009 (PDF -92 KB)
- UC Davis launches identity management project, opens Web site (TechNews, 7/23/09)
- Identity and Access Management project wiki
Contact information:
Gastón De Ferrari, project manager, gdeferrari@ucdavis.edu