IAMUCLA Overview
@ The UCLA Enterprise Messaging User Group Meeting March 13, 2008
What is IAMUCLA?
Identity & Access Management @ UCLA
Who wants to access a resource? (Authentication)
Does the person have permission? (Authorization)
Before IAMUCLA
Departmental Intranet
User logs into each application separately using different logon IDs
Permissions managed separately in individual applications
URSA
Class Web Sites
Discussions
Service Requests
Budgeting
Research Proposal Tracking
Applications kept separate user identity data
… and others
Phase I: Identity and Authentication
• Campus-wide Credential• UCLA Logon
• Enterprise Directory• Consolidated Repository for Person Identity Data• Supports authentication and authorization decision
• Web Single Sign-On• ISIS• Shibboleth – The future
• Unified Directory Data• Official Email Address
URSA
RATSMyUCLA
Travel Express
Financial Web Reports
many other web apps
IAMUCLA Architecture, Take One
ISIS/Shibboleth: Web Single Sign-On
Enterprise Directory
User logs in using UCLA Logon ID ED supplies user
identity data
Permissions managed separately in individual applications
Credentialing
Enterprise Directorylogon.ucla.edu
student
employee
URSA
visitors and affiliates
UID, SIS, PPSStudent is prompted to create UCLA Logon during SIR
Employee uses the self-provisioning tool to create logon ID once she becomes an employee
Visitor also uses the same self-provisioning tool to create a low level of assurance “guest” account
Account creations are verified with ED identity Data; created accounts are written to ED in real time.
ED receives initial identity data for UCLA members from the mainframe (near real time)
Over 200 Web Apps Use ISIS• URSA• MyUCLA• MyHousing• RATS (Animal Protocols)• Effort Reporting System• OFSR• Web Merits• CBIG• DAT• BruinCard• CCLE• UCLA Jobs: PeopleAdmin• Counselor Desktop• CLICC Laptop Checkout• Construction Mgt Database• Online TSR• Gradebook• Online Journal Entry• Transfer of Funds• ATS network account provisioning• ASUCLA Computer Store Online• MyEvents• MyFAO• ISSR Data Archives Data Delivery• CTS Directory Update System• COMIT• Duplicate W2-Forms• Non-Payroll Expenditure Adjustment• Post Audit Notification (PAN)• BruinPost• Emergency Email Notification System• BruinBuy Web Reports• Digital Library Programs
• SEAS Online• SEAS Email Forwarding• Wireless Network Registry• Equipment Management• UCLA Student Calendar• UCLA Grid Portal• UCLA Library Catalog• UCLA in LA• UCLA Library Public Wiki• OID TEC• Transcript System• UCLA Knowledge Base• Express• TFT Intranet• Gradebook• Data Warehouse Reporting (Cognos)• QDB Support and Administration• APO Dossier Action Tracking• My.CLICC• CLICC Laptop Checkouts• CTS Personnel Action Request• VoIP Self-Provisioning Administration• Wireless Network Registry• CTS ProjectTrak• Confluence• JIRA• My.DMA• ESLPE• UCLA Student Calendar• Life Sciences Dossier Web Site• Undergraduate Scholarship Application• Work-Study Job Bulletin for Employers• Summer Financial Aid Portal
• Music Library: Digital Audio Reserves• VideoFurnace: @ Instructional Media Lab• OPRS• Psychology IT & HelpDesk Portals• Registrar’s Office Service Request• Student Records Web• Registrar’s Office Transcript System• UCLA Restricted Network Access Administration• UCLA ResNet DMCA Admin• STC Software Download • UCLA Sakai• Social Sciences Class Scheduler• PDP Portal• Social Sciences Subversion Browser• SSC Ticket System• Student Legal Service Case Tracking• Student Health Online Services• Transportation Services• VoIP WebDialer• CourseWeb@HSSEAS• RNet Web Reports• AIS Password Management Tools• COR Faculty Grants Program• Bruin Walkers• WebIRB• Schoenberg Practice Room Reservation• NowPrint – Web-based Printing On Demand• ESCRO FileShare
• … and many more …
Phase II: Permission Management
• Deploy enterprise-wide, 24x7 permissions management system
• Provide cross-campus integration for all applications
• Create custom delegation tools
• Provide support for local integration
Enterprise Permission Management Benefits
• Simplifies and standardizes• Roles can be consistently established and maintained
across campus• Full auditability – who has access to what & when• Instantaneous ability to revoke or change
at-risk access across campus• Streamlines the provisioning workflow• Permits more granular access & revocation• Reduces sharing of logons and passwords
IAMUCLA Architecture
URSA
RATSMyUCLA
Travel Express
Financial Web Reports
many other web apps
ISIS/Shibboleth: Web Single Sign-On
User logs in using UCLA Logon ID
Enterprise Directory
ED delivers user identity, groups, and permissions data via Shibboleth
Permission Management Tools
manages permissions once
and replicates the same permissions data to
non-web systems
At a ThresholdNew applications are emerging with new and large
communities of users
• CCLE – Faculty & Students
• DAT – Faculty & Staff
• IWE – Students & Parents
• GRID – Researchers at UCLA & other campuses
• Clinical Research – Physicians & Students
• Research collaboration – Faculty & Students at UCLA and other campuses
A window of opportunity for a new way to handle permissions
Project Impacts
Strategic
• Underpins collaboration, group processes, interdisciplinary research and education, inter-industry and inter-institutional interactions
• Opens but manages the extension of campus resources to important associate members of the university
Compliance
• Significantly improves ability to meet audit requirements
• Better reporting on access to FERPA and SB1386 protected data
• Reduced risk of major security/access breach
System Lifecycle Necessity
• Critical mass of current projects represents opportunity to integrate now
Project ImpactsCustomer/User Impact
• Affects all UCLA faculty, students, staff• Also affects parents, researchers and students at other campuses, etc.
Workload Impact• Reduced staff time handling provisioning/de-provisioning tasks• Self-service delegation reduces access delays, improves user-experience• Central support reduces developer overhead in projects; Improves help
desks' ability to solve a user problem on "first call“
Financial/Fiscal Impact• Not implementing now forces all applications to expend resources to invent
their own permission management schemes separately.• Retrofit will be far more costly.
Questions?
Top Related