identity and access management ist retreat 2008. watiam basic timeline licence, agreement, sow,...
TRANSCRIPT
WATIAM Basic Timeline
• Licence, agreement, SOW, initial training, scope (Jun-Sep 07)
• Requirements phase (Oct-Nov 07)• Design phase (Dec-Jan 08)• Development, test, prototype infrastructure
(Jan 08)• Build phase (Mar-May 08)• Production environment (Jun 08)• Acceptance testing (Jul-Aug 08 TBD)• Go-live (Aug-Oct 08 TBD)
Phase I Scope
UWdir (“ego”) replacement, redesign and enhancements: • interfaces for Quest, HR, CECS, ODAA, Telephone Services• constituencies to include faculty, staff, students, applicants, employers,
alumni, guests, etc.• provisioning for identity and accounts in IDM to ADS, files shares and user
profiles, Unix• delegated administration (e.g., reports and monitoring, sponsored
accounts)• extracts for Faculties (e.g., email loads, class provisioning)• white pages• deprovisioning services (e.g., in-use data in expiry)• self-service (e.g., registration, password changes, key data element
synchronization)• SOAP/XML service layer for CECS Special Projects• Blackbaud Netcommunity support for ODAA
UWdir versus WATIAM • Workflow (automated creates and deletes, identity merges, workflow for
changes)• Real-Time Connectors (HR, Quest)• Policy Review (initial cleanup) • New Constituencies (employers, alumni)• Department Coding (cleanup of codes, labels)• CSO/PH Removal • Virtual Identity (multiple roles and extended information)• Extended Group and Role Information (ADS/bang accounts)• SOAP/XML Services Layer• Self-Service (email synchronization, challenge questions)• JobMine / E-Community Authentication Removal• Account Reconciliation / Verification• Technical Stack (Oracle, Java, XML/Express, SUN/JES)• Authoritative Sources (new definition)
Current Status
• Iterative Builds (latest)i. Provisioning (ADS, Unix)ii. OpenLDAP (online inquiry)iii. HR, Quest, TS connectorsiv. User self-servicev. Delegated admin and privileged accessvi. Life Cycle (create user, update, delete), Precedence and
Matching rules
• Work Pendingi. Extract files (Faculty, HR, etc.)ii. CECS & ODAA interfaceiii. New hardware
Good, Bad, Ugly
… lessons learned, challenges, …
• resource changes• training course availability• “virtual” concept• leading edge (evolving product)• initial scoping exercise and terminology• consultants and tools• proof of concept value• toolkit (Express, workflow)
Other Project Activities
• Audit (de/provisioning, account reconciliation, technical stack, security)
• Hardware (T5520s)
• Training
• Web Sitehttp://www.adm.uwaterloo.ca/infoidm/
SUN User Group
• 1st Canadian meeting – Toronto May 2008
Presentations / Topics Examples
• Bell (36 HR systems, contractors)
• WSIB (version control, upgrade cycles)
User Group Themes / Tidbits
I. Go slowlyII. Lots of discussion around FederationIII. Not much “out of the box” (lots of
configuration)IV. Common pitfalls (trying to get all the roles,
going it alone, clean data)V. OpenID initiative (self-managed ID)VI. ERP
Product RoadmapWe have release 7.1
Release 8.0 (Summer 2008)• Role manager
Release 9.0 (TBD 2010)• Decoupled connectors• Open source
Full Suite (Access/Fed, ID Mgr, Directory Serv, Open SSO, Role Mgr, Open DS)
Peer (SUN) Institutions
• Western (business analysis June 2007 to present)
• Guelph (postponed due to CIO re-org, reinitiation imminent)
• Queens (initial focus on staff/faculty, student work beginning)
Phase II
• Access Manager (web authentication, SSO)
• Federation (edupass, TUG, BBNC)• Faculty Provisioning
More Phase II
• Quest post-upgrade (real-time)• Synch-back (accounts and data for
HR, Quest, Telephone)• MS Exchange (provisioning)• Continuing Ed (campus view)• Enhanced matching (address, etc.)
Links
http://www.adm.uwaterloo.ca/infoidm/
http://www.sun.com/software/products/identity/index.jsp