PSJA AUTOMATION WORKFLOW AND LESSONS LEARNED Management of Information Systems Information Technology
Why do we need Identity Management? Today, every change in employee status requires involvement by IT. New hires need access to be granted to the data and apps they need to do their jobs. Separations require access revocation and security changes. Job moves mean shifting status and access changes from one group to another.
Why do we need Identity Management? Identity management solutions help shift that responsibility away from IT. These solutions often place employee status changes back in the hands of those tied most closely to them — HR and sometimes even the employees themselves. Additionally, it provides tighter security and access control measures over the daily tasks of employees.
P S J A PSJA AT A GLANCE 5000 staff 43 campuses/ Support Sites 32,000 students 5000 staff 43 campuses/ Support Sites Micrsoft Active Directory/Office 365 Google
PROBLEMS AND INCONSISTENCIES PSJA CREDENTIALS INFORMAL PROCESS MULTIPLE SOURCES MULTIPLE BATCH IMPORTS LENGTHY PROCESS NOT REAL TIME (MANUAL PROCESS) INEFFICIENT USE TIME
AUTOMATION SOFTWARE CHOICES 2010 & 2012 NOVELL Microsoft Active Directory Servers 1 – DSS server (automation) 2 – ARMS server group mgmt & password 1 – Database server Microsoft Active Directory Server breakdown 1 – App server (automation) 2 – web front ends group mgmt 1 – SQL Database server Azure Active Directory Premium for self service password (staff & students) 2018
VERSION 1 & 2 OF THE MATRIX 2010 – Version 1 (NOVELL) Identity Automation software Used primarily with our Novell tree 2012 – Version 2 (AD & STUDENT EMAILS) Upgraded and improved logic with Identity Automation Created all accounts in Microsoft Active Directory tree Live@Edu fully automated for student accounts Staff accounts remained on-premise
OLD LOGIC AND NEW DEMANDS 2018 – Version 3 Philosophy and needs had changed since 2012 Outgrew old logic…no longer made sense Powershell scripts were running 40% of the process to meet our demands Migration of on-premise accounts to the cloud broke existing logic (Exchange accounts) Single sign on (SSO) to internal systems created instant demand for end users
What is Microsoft Identity Manager? Microsoft Identity Manager is a tool that… Helps you manage the users, credentials, policies, and access within your organization. Additionally, MIM 2016 adds a hybrid experience, privileged access management capabilities, and support for new platforms.
What does Microsoft Identity Manager do? Fundamentally MIM synchronizes identity data between various systems. It’s very flexible in what it can connect to (like Active Directory, other directories, HR systems, ERP systems, email systems etc.), and what objects it synchronizes (always users, often groups, and maybe roles, permissions, computers etc.). It can provision and de-provision, enable and disable, move, and generally synchronize all types of attributes – even passwords (though passwords are not handled like other attributes – being propagated in real time, while regular attributes are synchronized on a schedule).
GENERAL WORK FLOW - STAFF HR Employee hired (professionals, clerks, Name, Job code, Building, Status AD OU location Sub containers Permissions O365 Account sync (Azure AD Connect) License Activation based on group membership Global groups for email SIS Teacher info (First name, Last Name) Building
GENERAL WORK FLOW - STUDENT SIS Student enrolls Name, Grade, Building, Status AD OU location Sub containers O365 Account sync License Activation Global groups for email
CONTROL POINT IS WITH HUMAN RESOURCES EMPLOYEE HIRED NAME LOGIC JOB CODE BUILDING STATUS PASSWORD LOGIC PLACED IN ACTIVE DIRECTORY PERMISSIONS GRANTED Group Membership on AD Attributes Account is Active Single Sign On Ready
ONE USERNAME AND PASSWORD TO RULE THEM ALL PSJA CREDENTIALS TEACHER ACCESS CENTER EMPLOYEE ACCESS CENTER WEB RESOURCES STUDENT INFO SYSTEM INTRANET SHAREPOINT OFFICE 365 EMAIL And MANY MORE…
Deprovision and Account – Staff member EMPLOYEE RETIRES REMOVED FROM CAMPUS OU REMOVED FROM GROUP MEMBERSHIP ACCOUNT BECOMES DISABLED PLACED IN FINAL PAY LOCATION DELETED AFTER 180 DAYS
Deprovision Account - Student STUDENT GRADUATES REMOVED FROM CAMPUS OU REMOVED FROM GROUP MEMBERSHIP ACCOUNT BECOMES REMAINS ACTIVE FOR 2 YEARS DELETED AFTER 180 DAYS (AFTER 2 YEARS)
LESSONS LEARNED Where does your information live? eSchool (students) eFinance (staff) GIGO – Garbage In, Garbage Out Flowcharts of what you want done Complete life-cycle Understanding your organization procedures Who? What? How? Why? Working with others to facilitate the needed changes Change is hard for organizations/departments
LESSONS LEARNED…..continued Name logic was difficult to include everyone De la Garza, double last names, nick names, etc. Promotions, titles, pictures & renames – O my! Time sensitive and controlled at HR without notice Constant troubleshooting at the beginning Where did it break, what broke it Document your processes and procedures Handling all of the special exceptions Sometimes automation can’t fix everything
How much time would that take? Coordination and Communication Budget $$$ How many individuals would it take to keep up with all data input and changes in the different systems? 2? 3? Or more… What would that cost? How much time would that take? Coordination and Communication