electronic administration and services integrating identitiesdigital+assets/herug/heru… ·...
TRANSCRIPT
Electronic Administration and Services
Integrating Identitiesidentity management in a confederacy of independent systems
Dr. Christoph Wall
Personal Identity Atributes
Age: Between 21 and 65
Kids: 2
2Identity Management at FU Berlin, June 2009
Kids: 2
Nationality: GermanCity of Residence: Berlin
Institutional Background
3Identity Management at FU Berlin, June 2009
Professional Allocation
4Identity Management at FU Berlin, June 2009
The confederacy of independent systems
HR
SLcM
HIS
MyVV
Black-
board
FU
Portal
Intranet
Aleph
SOC
MyFU
5Identity Management at FU Berlin, June 2009
HR
FI
SAP Web
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
Issues of the confederacy
HR
SLcM
HIS
MyVV
Black-
board
FU
Portal
Intranet
Aleph
SOC
MyFU- Distributed user administration
- Multiple identities(Many users per person)
6Identity Management at FU Berlin, June 2009
HR
FI
SAP Web
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
(Many users per person)
- Several passwords
- Different password policies
- Distributed authorization
Resulting Problems
HR
SLcM
HIS
MyVV
Black-
board
FU
Portal
Intranet
Aleph
SOC
MyFUUnnecessarily large workload
- User administration needed
for each application
7Identity Management at FU Berlin, June 2009
HR
FI
SAP Web
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
for each application
- 40 – 60% of helpdesk work is
user account related
Resulting Problems
HR
SLcM
HIS
MyVV
Black-
board
FU
Portal
Intranet
Aleph
SOC
MyFU
Data security risks
- No central rights accounting
8Identity Management at FU Berlin, June 2009
HR
FI
SAP Web
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
- critical combination of rights
goes undetected
Resulting Problems
HR
SLcM
HIS
MyVV
Black-
board
FU
Portal
Intranet
Aleph
SOC
MyFUIT safety risks
- No central user tracking for
create/modify/delete
9Identity Management at FU Berlin, June 2009
HR
FI
SAP Web
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
create/modify/delete
- ex employees might still
have access to systems
(21% of malicious intrusions
committed by ex-employees)
The solution: Integrating identities with FUDIS
FUDIS HR
SLcM
HIS
MyVV
FU
Portal
SOC
Aleph
Intranet
Black-
board
MyFU
10Identity Management at FU Berlin, June 2009
FUDIS
SAP Web
FI
HR
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
The solution: Integrating identities with FUDIS
FUDIS HR
SLcM
HIS
MyVV
FU
Portal
SOC
Aleph
Intranet
Black-
board
MyFU
11Identity Management at FU Berlin, June 2009
FUDIS
SAP Web
FI
HR
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
User Lifecycle Management
12Identity Management at FU Berlin, June 2009
modify
Create (Onboarding)
CUA SLcMHIS
HR
FUDIS(FU Account)
Employees
User
Ext. TeachersUser
personnel data
SOC
Depart
ments
13Identity Management at FU Berlin, June 2009
CUA SLcMHIS(FU Account)
Students
Business PartnerStudent User
FI
User
SAP Web
User
Intranet
Employees
Students
Create (Authorization)
CUA SLcM
HR
FUDIS(FU Account)
Employees
User
Ext. TeachersUser
personnel data
SOC
Role
14Identity Management at FU Berlin, June 2009
CUA SLcM(FU Account)
Students
Business PartnerStudent User
FI
User
SAP Web
User
Intranet
Role
s
Role
s
Role
s
Employees
Role
AdministrationDepartments
SAP Admininstration
Status Quo
� Gains:
- Personnel data lead to automatic creation of unique FUDIS identity
- Teachers are automatically created as SLcM teaching staff users
- Students are automatically created as SLcM student users
15Identity Management at FU Berlin, June 2009
� Disadvantages:
- Employees have to be created as ERP users manually
- Departments and administration cannot administer their own users
- SAP administration is ‚bottleneck‘ to onboarding and modification
User Lifecycle Management
16Identity Management at FU Berlin, June 2009
modify
Delete / deactivate
CUA SLcM
HR
FUDIS(FU Account)
Employees
User
Ext. TeachersUser
personnel data
Depart
ments
17Identity Management at FU Berlin, June 2009
CUA SLcM(FU Account)
Students
Business PartnerStudent User
FI
User
SAP Web
User
SAP Admininstration
HIS
Students
Status Quo
� Issues
- Administrators face extra work because users have to be
deleted/deactivated manually
18Identity Management at FU Berlin, June 2009
- Severe time gap between ceasure of contract and lock out of system
results in:
Financial loss through unused licenses
Security risk through unaccounted for systems admission
User Lifecycle Management with SAP IdM
19Identity Management at FU Berlin, June 2009
modify
Create (Onboarding / Authorization)
IdM SLcMHIS
HR
FUDIS(FU Account)
Employees
User
Ext. TeachersUser
personnel data
Role
s
Role
Administration
20Identity Management at FU Berlin, June 2009
IdM SLcMHIS(FU Account)
Students
Business PartnerStudent User
FI
User
SAP Web
User
Role
s
Role
Students
Departments
User Lifecycle Management
21Identity Management at FU Berlin, June 2009
modify
Delete (deactivate)
IdM SLcM
HR
FUDIS(FU Account)
Employees
User
Ext. TeachersUser
personnel data
Exmatriculation
22Identity Management at FU Berlin, June 2009
IdM SLcM(FU Account)
Students
Business PartnerStudent User
FI
User
SAP Web
User
Exmatriculation
Project benefits
� IdM technology is to be supported by SAP in the future
(CUA is not developed any further and will run out of support)
� Interfaces come with IdM and have to be configured, not built
� Employees with ERP users are part of automatic onboarding
� Roles can be administered decentralized by departments and
23Identity Management at FU Berlin, June 2009
� Roles can be administered decentralized by departments and
administration
� Ceasure of employee‘s contract leads to automatic lock out
from SAP systems, same as exmatriculation for student users
Integrated Identity Management helps to:
FUDIS HR
SLcM
HIS
MyVV
FU
Portal
SOC
Aleph
Intranet
Black-
board
MyFU � Reduce risks
� Reduce costs
24Identity Management at FU Berlin, June 2009
FUDIS
SAP Web
FI
HR
PublikationsDB
ProfilDB
Portal
eSA
Helpline
IT-V DBVoIP
BSCW
� Reduce costs
� Reduce workload
Electronic Administration and Services
Transparency and Efficiency
for
Excellence
25Identity Management at FU Berlin, June 2009
Excellence