project plan - university of iowa · pdf fileproject plan oneit – identity ... identity...
TRANSCRIPT
Project Plan
OneIT – Identity and Access Management – Sub-Plan 3 Page 1 of 5
Details
Project Name: OneIT – Identity and Access Management Sub 3: Iowa Domain Credential Management Project Team Leads: Mike Noel, Brandon Mills, Jordan O’Konek Project Manager: Kris Halter TeamDynamix Project Number: 241151
Project Overview (What is going to be accomplished)
The purpose of this IAM subproject is to enhance, extend, and streamline the Iowa Domain Credential Management capabilities. It includes three main components:
1. Extend IAM to support UNIX systems including Active directory, administrative tools and processes. 2. Implement Active Directory-Oracle password synchronization. 3. Simplify and Automate HawkID and Service ID Management
Unix System AD Iowa Domain Support The campus Active Directory forest Iowa domain serves as the engine for enterprise authentication (HawkIDs). It is primarily used as a secure environment for Windows servers, PCs, and Macintosh computers. This project is about extending the Active Directory infrastructure and data management processes to include support for Unix systems (servers and workstations) by including the essential Unix-related attributes related to the security of logins and file infrastructure permissions.
• Unix systems will be able to authenticate and authorize users against the Iowa Domain HawkIDs. • Unix systems will be able to leverage the automated enterprise provisioning/de-provisioning of
HawkIDs, group membership and other attributes in AD to improve account management throughout the account life cycle.
• Administrative layer required for each Unix system will be greatly reduced.
Currently, each Unix administrator must manually assign their own UID and GID values. These values provide core security of the file systems. Because the assignment of the values are not coordinated across campus, files cannot easily be shared across the Unix systems. The enterprise solution will be to use the Iowa domain as the authoritative source for UID and GID and other key attributes for use in the Unix systems. Aligning the Unix systems with the enterprise Identity management will allow automatic provisioning/de-provisioning of accounts and tighter login controls. It is expected that there will be ~2000 Unix systems from CLAS, Engineering, ITS, and Research Labs that will take advantage of the Unix/AD integration. In addition, Unix IDs and attributes will be made available for management of Unix systems in the healthcare domain. Legacy processes to manage HawkIDs and service-related groups are largely based on batch processes and scripts. The AD Unix integration requires more real-time and responsive processes. An important part of this sub-project component is the development of a new Active Directory Credential Management Engine
Project Plan
OneIT – Identity and Access Management – Sub-Plan 3 Page 2 of 5
(ADME) for provisioning/de-provisioning. ADME is critical to the core identity and access management architecture and replaces multiple legacy scripts and processes. Active Directory-Oracle Password Synchronization The Microsoft Identity Manager (MIM) product includes the Password Change Notification Service (PCNS) that synchronizes user password changes across multiple identity stores. In this component of the sub-project, PCNS will be deployed to synchronize Active Directory HawkID passwords for selected Oracle user and administrator accounts. This greatly simplifies the login process for those users and allows Active Directory to manage more of the identity lifecycle process. This component is dependent on implementation of a version of MIM PCNS that is supported with the domain controllers in the UIOWA forest (Windows 2012 R2). Simplify and Automate HawkID and Service ID Management HawkID Management HawkIDs for students, alumni, retirees, and terminated employee populations are collected and managed programmatically. HawkIDs for current employees are currently managed differently and require manual administrator intervention as they are moved through a series of OU locations. The first component of this project is to automate and simplify the management of employee IDs in and out of administrative unit OU. ITAdmins will no longer have to move each HawkID from ou=inbound to ou=users to ou=outbound. This model has been successfully piloted with these units: CLAS, Graduate College, and UI Healthcare. It will be phased in to all orgs, with Housing being next. The new process allows ITADmins to continue to manage local access assignments through group memberships. By automating the HawkID administrative unit OU process and flattening the OU structure will provide the following improvements:
Reduction in ITAdmins support effort in moving HawkID inside ~600 org and departmental level OUs.
Better management of identity lifecycle especially de-provisioning at termination reducing institutional risk and audit concerns.
A potential second follow on phase of this sub-project component would be to enhance the employee provisioning process into a central OU, similar for how we administer students, retirees, and other managed groups. Employee HawkIDs could be automatically provisioned into the employee OU and then ITAdmins would continue to manage account access through local group membership. Improvements gained in this follow on phase include:
Further simplifying and standardizing the HawkID provisioning process
Eliminate special handling required for persons with multiple appointments
Remove fragile legacy provisioning scripts Service ID Management Extend centralized account management process and tools to service IDs so all account creation is managed through a single set of tools. Currently ITADmins are given elevated rights to create local service IDs through the Microsoft AD administrative tools. Auditors have noted that this is a risk in several audits. If both HawkID and Service IDs are managed through the same process and underlying tool, the process can be simplified, more secure, and enhanced to ensure that the integrity of HawkIDs are maintained.
Project Plan
OneIT – Identity and Access Management – Sub-Plan 3 Page 3 of 5
The new account management process requires extending the existing DNA Tools to allow for ITAdmins to create service IDs.
Project Staffing (Who will perform the work)
Unix System AD Iowa Domain Support
Team Member Role, Skill Set Estimated Time Commitment (hrs)
Mike Noel Project Leader 20
Jordan O’Konek Project Leader, Developer 100
Brandon Mills Project Leader 20
Kris Halter Project Manager 20
ITS-AIS-DNA (DW) System Administrator 80
ITS-AIS-DNA (DK) Developer 80
ILUG System Administrators 100 Total 420
Active Directory-Oracle Password Synchronization
Team Member Role, Skill Set Estimated Time Commitment (hrs)
Mike Noel Project Leader 20
Jordan O’Konek Project Leader, Developer 20
Brandon Mills Project Leader 20
Kris Halter Project Manager 20
ITS-AIS-DNA (JK) System Administrator 80
ITS-AIS-DNA (DK) Developer 120
ITS-AIS-IDDM Database Administrator/Architect 100
ITS-SST System Administrator 50
Total 430
Simplify and Automate HawkID and Service ID Management
Team Member Role, Skill Set Estimated Time Commitment (hrs)
Mike Noel Project Leader 20
Jordan O’Konek Project Leader, Developer 100
Brandon Mills Project Leader 20
Kris Halter Project Manager 20
ITS-AIS-DNA (DW) System Administrator 80
ITS-AIS-DNA (DK) Developer 80
ITAdmins System Administrators 1000
Total 1320
Project Plan
OneIT – Identity and Access Management – Sub-Plan 3 Page 4 of 5
Project Schedule (When will the work be started/completed)
Milestone Target Status
Extend IAM to support UNIX systems including Active directory, administrative tools and processes.
10/31/2015
WIP
Implement Active Directory-Oracle password synchronization. 1/2017
Simplify and Automate HawkID and Service ID Management 1/2017 WIP
Project Budget
Only project budget item identified at this time is the actual implementation effort, 2,170 hrs or $141,050
Milestone Effort (hrs) Cost
Extend IAM to support UNIX systems including Active directory, administrative tools and processes.
420 $27,300
Implement Active Directory-Oracle password synchronization. 430 $27,950
Simplify and Automate HawkID and Service ID Management 1320 $85,800
Total 2,170 $141,050
Projected Savings from Credential Management efficiencies a. Staff time: 25% FTE @ $65/hr = $33,800/yr
Change Control Plan (What is the process for managing change)
Substantial changes to project scope will be brought to the OneIT Steering Committee for evaluation and resolution.
Communications Plan (How will information be communicated)
Target Audience Primary Contact Communication Mechanism
Frequency Purpose/Description of Communication
Author/Owner
OneIT Steering Committee
Program Office Email, meeting discussion
Monthly, ad hoc as needed
Updates on project, feedback
Project Team Kris Halter Email, meeting discussion
Monthly, ad hoc as needed
Updates on project, feedback
OneIT Leaders Chris Clark Email, meeting discussion
Monthly, ad hoc as needed
Updates on project, feedback
Individual Customers Project Manager and Leaders
Email, meeting discussion
Monthly, ad hoc as needed
Determine and validate business rules
ITAdmins Jessica Church Email, meeting discussion
Monthly, ad hoc as needed
Updates on project, feedback
ILUG JJ Urich / Hugh Brown
Email, meeting discussion
Monthly, ad hoc as needed
Updates on project, feedback
ITS-AIS-IDDM Workgroup Leader Email, meeting discussion
Monthly, ad hoc as needed
Updates on project, feedback
Project Plan
OneIT – Identity and Access Management – Sub-Plan 3 Page 5 of 5
Risk Management Plan
Risk Number
Risk Description Likelihood (H,M,L)
Impact (H,M,L)
Mitigation Strategy
1 Retaining existing ILUG LDAP servers M L Work with ILUG leadership
2 MIM Implementation stability and PCNS implementation issues
M M Alt. Password Sync Solution
3 Adoption of Employee Auto-provisioning M M Work with ADEAs to influence IT Admins. Involve internal auditors
4 Adoption of Service ID Management M M Work with ADEAs to influence IT Admins. Involve internal auditors
Issue Tracking and Resolution Plan
Issues will be tracked and resolutions captured on the IAM SharePoint site
Metrics / Key Performance Indicators
Number of Unix system that are managed by AD. Number of Oracle Accounts synchronized with AD. Number of Employee HawkIDs that are automatically moved. Number service IDs leveraging new management process.
☐ Project Plan Approval Date MM/DD/YY