leading an effort to define roles a “tripod” view of iam

Leading an Effort Leading an Effort to Define Rolesto Define Roles

A A “Tripod” “Tripod” View of View of

IAMIAM

I AMI AM I AMI AM

Assistant ControllerAssistant ControllerAssistant ControllerAssistant ControllerAssistant TreasurerAssistant TreasurerAssistant TreasurerAssistant Treasurer

Budget AdministratorBudget AdministratorBudget AdministratorBudget Administrator

Purchasing Card Purchasing Card AdministratorAdministrator

Purchasing Card Purchasing Card AdministratorAdministrator

Purchasing Card ReconcilerPurchasing Card ReconcilerPurchasing Card ReconcilerPurchasing Card Reconciler

EmployeeEmployeeEmployeeEmployee

Alum – Liberal ArtsAlum – Liberal ArtsAlum – Liberal ArtsAlum – Liberal Arts

Alum – Smeal Alum – Smeal College of College of BusinessBusiness

Alum – Smeal Alum – Smeal College of College of BusinessBusiness

Conference Conference AttendeeAttendee

Conference Conference AttendeeAttendee

Workflow Workflow “Mother” of all Roles“Mother” of all Roles

Workflow Workflow “Mother” of all Roles“Mother” of all Roles

DONORDONORDONORDONOR Chair Residency Chair Residency AppealsAppeals

Chair Residency Chair Residency AppealsAppeals

Member WPSUMember WPSUMember WPSUMember WPSUThespian Alumni Thespian Alumni Interest GroupInterest Group

Thespian Alumni Thespian Alumni Interest GroupInterest Group

I AM

Director of Director of Information Systems Information Systems Auxiliary & Business Auxiliary & Business

ServicesServices SupervisorSupervisor

Budget AdministratorBudget Administrator

Director in Director in Finance & BusinessFinance & Business

EmployeeEmployee

Alum – Health & Alum – Health & Human Human

DevelopmentDevelopment

Parent of a Parent of a freshman freshman (tuition payer!)(tuition payer!)

I AM

Senior Systems EngineerSenior Systems Engineer

Budget AdministratorBudget AdministratorDirector/ManagerDirector/Manager

Team Leader in Team Leader in ITS Emerging ITS Emerging Technologies Technologies

GroupGroupEmployeeEmployee

Parent of an Parent of an alumalum

DONORDONOR

Lead ArchitectLead Architect

Member of Nittany Member of Nittany Lion ClubLion Club

Co-Chair Co-Chair InCommon InCommon Technical Technical Advisory Advisory

CommitteeCommittee

I AM

dmm4dmm4

9-0000-00039-0000-0003

211-00-0000211-00-0000

602068 602068 20987528902098752890

[email protected]@psu.edu

jlw2jlw2

9-0000-00019-0000-0001

466-00-9999466-00-9999

602068 602068 12345678901234567890


prs4prs4

9-0000-00029-0000-0002

962-00-1212962-00-1212

602068 602068 3976511230939765112309


I AM THE THE

WALRUSWALRUS

GOO, GOO, G’JOOBGOO, GOO, G’JOOB

Leading an Effort to Define Roles Historical PerspectiveHistorical Perspective

Electronic Approval since 1988 Approval Paths

Based on individual – dmm4 Financial and HR Processes Only Route based on mnemonics

Implementing Role-Based Workflow Standard workflow for process Authorization through roles and

related attributes

Leading an Effort to Define Roles IAM at Penn State IAM at Penn State

Identity & Access Management Identity & Access Management Road MapRoad Map Co-Chaired by Renee Shuey & Joel

Weidner Sub-Groups:

• Policy and Governance• Risk Assessment• Vetting, Proofing and Registration

Authorities• Life Cycle and Affiliations• Levels of Assurance

Report being presented next week

Leading an Effort to Define Roles

IAMIAM

Leading an Effort to Define Roles PolicyPolicy

HOW CAN WE FOCUS THE IAM LENS? Governance

• Coordination and collaboration • Three-level structure proposed at Penn State

Policy• Comprehensive Overarching Policy• Standards vs. best practices vs. objectives• Audience beyond organization


CHALLENGESOrganizational Issues

• Workflow driving roles but broader use being implemented

• Department Identity• Financial Organization is not representative of rest of

the organization

• Cultural Change• Communication/Cooperation

Cross-Organization Collaboration


CHALLENGESRoles

• Creation of roles that work in multiple systemsCreation of roles that work in multiple systems• Roles – access and securityRoles – access and security• Role versus Position versus AffiliationRole versus Position versus Affiliation

Can we use the term “roles” in academic processes?


CHALLENGESRole Stewardship

• Attributes define access and authority• Who determines?• Some attributes are unique to individual – User ID• Other attributes relate to process

• Privileges that are inherent in position• Role of President, Provost, Dean• Delegates and Proxies

• Some roles can be automated• Principal Investigator – drive from account set-up


CHALLENGESRole Steward

• Defines roles used in various processes

Role Assigner• Authority to grant access to role• May also require workflow approval• Person in role may have authority to grant

access to delegates and proxies


CHALLENGES Relationship of IAM to Other Issues

• Privacy • Information Security• Data Classification• Workflow• List Serve Management


Who will be Who will be your Role your Role Stewards?Stewards?

or as Jimmy V says or as Jimmy V says “Muddah” of “Muddah” of

All RolesAll Roles


IAMIAM

Leading an Effort to Define Roles Focus onFocus on Business ProcessesBusiness Processes

Three Different LensesThree Different Lenses

The Customer or Consumer of online resources

The Application/Resource Provider

The Administrator

The Customer Lens – the consumerThe Customer Lens – the consumer

““Don’t care how;Don’t care how;

I want it NOW!”I want it NOW!”


The Customer Lens – the consumerThe Customer Lens – the consumerDriving the development of online servicesDriving the development of online servicesBringing expectations from commercial Bringing expectations from commercial

experiencesexperiencesWant it nowWant it nowDemand simplicityDemand simplicityWant it pushedWant it pushed


Customer ChallengesCustomer ChallengesDon’t care about roles—only know what they Don’t care about roles—only know what they

want to dowant to doHow can intelligence be embedded into the How can intelligence be embedded into the

business processes to simplify the customer business processes to simplify the customer experience?experience?

How can we integrate existing business How can we integrate existing business processes (admissions, hiring, registration) with processes (admissions, hiring, registration) with the automated updating of roles?the automated updating of roles?


Resource/Application ProviderResource/Application Provider


Resource/Application ProviderResource/Application ProviderCharged with providing online services to Charged with providing online services to

the university communitythe university community• Admission applications, housing contracts, meal Admission applications, housing contracts, meal

plans, class resources, procurement, parking plans, class resources, procurement, parking permits, online testing …permits, online testing …

Need to efficiently place user in a context Need to efficiently place user in a context and role to execute the transactionand role to execute the transaction• May require both user and approver rolesMay require both user and approver roles


Resource/Application Provider ChallengesResource/Application Provider ChallengesDynamic environment where individuals are Dynamic environment where individuals are

moving in and out of roles dailymoving in and out of roles dailyReconciliation of a single identity with Reconciliation of a single identity with

multiple rolesmultiple roles• In what role is the customer acting today--or for In what role is the customer acting today--or for

this particular application?this particular application?


The Administrator Lens – The business of The Administrator Lens – The business of managing the businessmanaging the business


The Administrator Lens – The business of The Administrator Lens – The business of managing the businessmanaging the businessEnsuring that policy is being followedEnsuring that policy is being followedOversight for fiscal responsibilityOversight for fiscal responsibilityOversight for academic integrityOversight for academic integrity


Administrator ChallengesAdministrator Challenges Responsible for role managementResponsible for role management

• Knowing “who’s on first”Knowing “who’s on first”

Keeping the business runningKeeping the business running• Proxies and delegatesProxies and delegates

Audits & controlsAudits & controls• Reconstruction of business transactionsReconstruction of business transactions• Encouraging people to “do the right thing”Encouraging people to “do the right thing”



IAMIAM

Leading an Effort to Define Roles TechnologyTechnology

A mechanism must be provided for:Assignment and

management of roles.

Establishment of new roles and attributes.

Assignment of authority


Develop a Schema with “Agility Ability”Meets both needs

of Today and Unknown of Tomorrow

Necessary & Challenging


Identify Champions


Provide Education & Training


IAMIAM

Leading an Effort to Define RolesLeading an Effort to Define RolesQuestions, Comments, and FarewellQuestions, Comments, and Farewell

Debbie MederDebbie [email protected]@psu.edu

Joel WeidnerJoel [email protected]@psu.edu

Renee ShueyRenee [email protected]@psu.edu

Don’t Forget!

leading an effort to define roles a “tripod” view of iam

Documents

roles iam

proxiessome roles

term roles

roles policyhow

effort t

multiple systemsroles

iam lens

approval pathsbased