ITS Identity Management (IdM), has a new name, effective immediately. The unit is now Identity & Access Management, or IAM.
Celeste Copeland, Manager of IAM, said that new name “reflects that we are responsible not just for management of credentials, identity proofing and authentication, but also access to services and authorization through groups management.”
Much of the research and education community now refers to this field as identity and access management to encompass the broader scope of similar groups, Copeland added.
While the name change is immediate, the transition of all resources to the new name “may take a while,” she said.
The IAM team has a total of seven staffers, including Copeland.
What is Identity & Access Management?
Identity & Access Management gathers information about a person that is a coherent picture of the various roles that he or she may have at UNC-Chapel Hill. These attributes are combined into a unified view of a person and presented as directory information in the Online Directory and campus Lightweight Directory Access Protocol (LDAP) system. This data can then be used by various campus applications to determine if a person should have access to websites and data repositories.
Generally, identity and access management is about ensuring that the right people have access to the right things. This happens in two parts. First, authentication — verifying your identity — and second, authorization — what you should be able to access.
Copeland uses a driver’s license analogy to explain how authentication and authorization work together.
“You can check to see who I am by comparing my face to the driver’s license photo. That is the equivalent of authentication. You are checking to see that I am who I say I am,” Copeland said.
“But just because I am who I say I am and my face matches the picture on my driver’s license, that doesn’t mean I should be allowed to drive a tractor trailer. I have a C class license so I can drive a car, but I am not authorized to drive other classes of vehicles. That’s what authorization checking is for,” she said.
Copeland expanded that Onyen authentication alone is just one part of access at UNC. For example, if you have a valid Onyen or GuestID, and you have provided your username and password and/or a second factor like Duo or Carolina Key, you can log into ConnectCarolina. These are all services that Identity & Access Management provides.
What else does IAM at UNC do?
IAM also manages Grouper, which is a groups management utility. With Grouper, you can create groups and use those groups for access control. You can manually create Grouper groups through its user interface or create them dynamically based on Lightweight Directory Access Protocol (LDAP) attribute values.
Grouper’s ability to dynamically create groups can streamline many manual processes. For instance, you may request a group be populated based on department number so that people are automatically added to or removed from the group as they move into or out of a particular department. Grouper can push membership information to Active Directory (AD) and LDAP, which can also be passed as user information when an application uses web Single Sign-On, saving manual efforts.
Identity & Access Management also handles providing provisioning and deprovisioning solutions, including midPoint, for the University. Provisioning is the process to ensure that users can access what they need as soon as they join the campus community, and deprovisioning is that access is securely removed upon leaving.
MidPoint connects systems that hold digital records like ConnectCarolina and the University Directory and uses triggers to remind the systems to update user information and access.
“The ideal is when someone arrives on campus, they would automatically be given access to do their job or take classes,” Copeland said. “But soon after they left, those things would be removed that they should no longer have access to.”