In this Q&A, ITS Identity Management Manager Celeste Copeland explains two key identity management concepts. This post is part of a continuing series about ITS Identity Management.
What are provisioning and deprovisioning?
One of the key responsibilities of Identity Management is providing new users with access to the things they need, and removing this access when they depart. The industry calls this provisioning and deprovisioning.Here is one scenario. A student needs access related to their course work or the libraries. The student should be able to get access before arriving on campus so he or she can go through orientation. That access should continue until a certain amount of time after the student graduates in order to enable the student to move email or files off the system.
In another scenario, a staff member is given access to sensitive data such as personnel information and is provided training on responsibilities related to sensitive data. This employee continues to have access until he or she leaves. Then the access should be revoked immediately upon termination.
Provisioning and deprovisioning are still highly manual. What is ITS doing toward its goals of making the system less manual and adopting a management system, or tool, that meets the University’s needs? What challenges have complicated those efforts?
Several commercial products try to address the Identity and Access Management space. Sun Identity Manager was one such system. After evaluating several products, ITS purchased the Sun product in 2008. Before we could implement it, however, Oracle bought Sun and decided to discontinue this product line.As we had already evaluated the Oracle product and hadn’t selected it, we decided to look at the open-source community to see if there were any solutions there. While we didn’t find any, there was a standard called Service Provisioning Markup Language (SPML) that was getting a lot of attention from the community and also Oracle itself.
Karsten Huneycutt, who was a senior member of the UNC-Chapel Hill IdM team at the time, created something called an SPML toolkit, which he released to the community to see if anyone would be interested in using it for a provisioning solution.
We then created our own internal provisioning solution using this standard and called it IMPROV (Identity Management Provisioning). We’ve been using this system and its associated user interfaces since 2013 to provision and deprovision Onyens and Guest IDs. It also provides administrative utilities used by the ITS Service Desk and other service desks around campus. These administrative utilities allow troubleshooting of issues such as expired passwords and also allow them to perform password resets when needed.
Why are provisioning and deprovisioning still highly manual?
Currently, IMPROV is only able to provision Onyens and Guest IDs, along with a couple of other things like requests for space on Research Computing clusters. Each new thing to provision would need to be integrated with the system where the account or service is created.There are many more things we would like to automatically provision and deprovision, possibly things like email/calendaring, and so forth. We’ve had a lot of queries from groups outside of ITS wanting to have a way of being informed when someone leaves the University so that they can deprovision local system access.
What is the next step?
Rather than continuing to expand IMPROV, since it is a custom solution, we would rather have a community solution that other higher education institutions are also using. To that end, we are paying close attention to the TIER effort from Internet2, which is a group that is exploring possible provisioning solutions, among other things. Ethan Kromhout, Director of Applications Infrastructure, and I are participating in the TIER APIs group, which is tasked with provisioning and other related API work.We will see what develops from that group. Many other universities are having this very same set of problems, so we’re not alone in that. In the meantime, there is a project that Candace Reynolds, Special Projects, Office of the CIO, is undertaking to do an overall review of Identity Management in an effort to set priorities for us to focus on. When we have the results of that, we may be able to put a target date on getting a more thorough provisioning/deprovisioning solution in place.
In the meantime, ITS has made some changes to deprovision much more rapidly. How did you accomplish this?
We now have enforcement of the Onyen policy in terms of deprovisioning the Onyen within a specified time frame based on the roles users have when they leave. This resulted in faster deprovisioning.