University of Northern Colorado Identity Lifecycle Management CHECO 9-22-2010
What is ILM? ILM is a management system that provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials. It can create and delete accounts in Active Directory It can populate data in a number of databases It can sync Passwords and other information between accounts on different systems It uses code (visual basic or C#) and a user interface to manage the flow of data between systems
The Problem: Takes an entire day for the account to become fully propagated to all of our systems Current Process has multiple points of failure Name changes are manual Process is hard to monitor and identify issues Hard to document complex solutions
How do we use it? Management of Student Email Accounts: Banner ILM ILM creates student mailboxes at our hosted email solution (Live@edu) based on information pulled from AD and Banner. We use a Microsoft password sync utility incorporated with ILM to sync passwords from AD to Outlook live. Banner ILM Live@edu AD Password Sync. Create the mailbox if needed and sync password from AD. Read account info from both locations to ensure the data is valid. Use code and rules to decide if a mailbox exists.
How do we use it? Management of Faculty/Staff Phone numbers: Banner ILM populates phone numbers in AD from information pulled from the employee records in Banner. We use code in ILM to put the phone numbers in dial able format on the IP phone systems. Banner AD Phone Number ILM AD Use code to decide what phone number to Populate. Get the phone number in dialable format. Read account info from both locations Populate Phone Number in AD
Roadblocks Solutions Banner Data Performance Formatting Use of the data Scope Creep Delta Table design Used code Change Identifiers Implement original goals and queue the requests in order of their priority.
What are our ILM goals? To have ILM create, manage, a clean up accounts automatically from one source. To manage the account “Lifecycle” automatically from start to finish. To have one source of data that acts as the “parent” data. Information can be changed there and it will propagate to all locations. Banner ILM AD Simple linear flow
Student Account Management Read university student data and create AD accounts and @Live Mailboxes automatically. Banner Student Data AD Read Student data into ILM. Provision accounts to both AD and Outlook Live. Update account information or deprovision accounts if needed. Password Sync. ILM Non-Banner Database Live@edu ILM decides if it needs to create an AD account or Mailbox based on the data it pulled from AD and Outlook Live.
Employee Account Management Read university employee data and create AD accounts and Exchange Mailboxes automatically. Populate desired fields and manage permissions and location in AD. Banner Employee Data AD Provision accounts to both AD and Exchange. Update account information, move account OU’s Join or remove accounts from groups, or deprovision accounts if needed. Read Faculty data into ILM. ILM Non-Banner Database Exchange 2010 ILM decides if it needs to create an AD account or Mailbox based on the data it pulled from AD and Exchange.
Challenges Ahead Banner: Implement Database triggers Create Email Alias Identifier ILM: Use the full clone test environment Use code to manage business rules - CRM Luminis Integration Active Directory: Redesign structure to match banner’s layout Collaboration!
How did we do it? We worked with Microsoft and Oxford Computer Group to get initial setup correct. ILM Training from SQLsoft Trial and error on our test environment.
Contact Information CJ Mizner - cj.mizner@unco.edu Zachary Vorwaller - zachary.vorwaller@unco.edu Matt Krause - matt.krause@unco.edu Helpful Links http://www.oxfordcomputergroup.com/ http://social.technet.microsoft.com/Forums/en-US/identitylifecyclemanager/threads/ http://technet.microsoft.com/en-us/library/cc720598(WS.10).aspx http://outlookliveanswers.com/