IAMUCLA The UCLA Enterprise Messaging User Group Meeting March 13, 2008

What is IAMUCLA? Identity & Access UCLA Who wants to access a resource? (Authentication)‏ Does the person have permission? (Authorization)‏

Before IAMUCLA Departmental Intranet User logs into each application separately using different logon IDs Permissions managed separately in individual applications URSA Class Web Sites Discussions Service Requests Budgeting Research Proposal Tracking Applications kept separate user identity data … and others

Phase I: Identity and Authentication Campus-wide Credential UCLA Logon Enterprise Directory Consolidated Repository for Person Identity Data Supports authentication and authorization decision Web Single Sign-On ISIS Shibboleth – The future Unified Directory Data Official Address

URSA RATS MyUCLA Travel Express Financial Web Reports many other web apps IAMUCLA Architecture, Take One ISIS/Shibboleth: Web Single Sign-On Enterprise Directory User logs in using UCLA Logon ID ED supplies user identity data Permissions managed separately in individual applications

Credentialing Enterprise Directory logon.ucla.edu student employee URSA visitors and affiliates UID, SIS, PPS Student is prompted to create UCLA Logon during SIR Employee uses the self-provisioning tool to create logon ID once she becomes an employee Visitor also uses the same self- provisioning tool to create a low level of assurance “guest” account Account creations are verified with ED identity Data; created accounts are written to ED in real time. ED receives initial identity data for UCLA members from the mainframe (near real time)

Over 200 Web Apps Use ISIS URSA MyUCLA MyHousing RATS (Animal Protocols)‏ Effort Reporting System OFSR Web Merits CBIG DAT BruinCard CCLE UCLA Jobs: PeopleAdmin Counselor Desktop CLICC Laptop Checkout Construction Mgt Database Online TSR Gradebook Online Journal Entry Transfer of Funds ATS network account provisioning ASUCLA Computer Store Online MyEvents MyFAO ISSR Data Archives Data Delivery CTS Directory Update System COMIT Duplicate W2-Forms Non-Payroll Expenditure Adjustment Post Audit Notification (PAN) BruinPost Emergency Notification System BruinBuy Web Reports Digital Library Programs SEAS Online SEAS Forwarding Wireless Network Registry Equipment Management UCLA Student Calendar UCLA Grid Portal UCLA Library Catalog UCLA in LA UCLA Library Public Wiki OID TEC Transcript System UCLA Knowledge Base Express TFT Intranet Gradebook Data Warehouse Reporting (Cognos) QDB Support and Administration APO Dossier Action Tracking My.CLICC CLICC Laptop Checkouts CTS Personnel Action Request VoIP Self-Provisioning Administration Wireless Network Registry CTS ProjectTrak Confluence JIRA My.DMA ESLPE UCLA Student Calendar Life Sciences Dossier Web Site Undergraduate Scholarship Application Work-Study Job Bulletin for Employers Summer Financial Aid Portal Music Library: Digital Audio Reserves Instructional Media Lab OPRS Psychology IT & HelpDesk Portals Registrar’s Office Service Request Student Records Web Registrar’s Office Transcript System UCLA Restricted Network Access Administration UCLA ResNet DMCA Admin STC Software Download UCLA Sakai Social Sciences Class Scheduler PDP Portal Social Sciences Subversion Browser SSC Ticket System Student Legal Service Case Tracking Student Health Online Services Transportation Services VoIP WebDialer RNet Web Reports AIS Password Management Tools COR Faculty Grants Program Bruin Walkers WebIRB Schoenberg Practice Room Reservation NowPrint – Web-based Printing On Demand ESCRO FileShare … and many more …

Phase II: Permission Management Deploy enterprise-wide, 24x7 permissions management system Provide cross-campus integration for all applications Create custom delegation tools Provide support for local integration

Enterprise Permission Management Benefits Simplifies and standardizes Roles can be consistently established and maintained across campus Full auditability – who has access to what & when Instantaneous ability to revoke or change at-risk access across campus Streamlines the provisioning workflow Permits more granular access & revocation Reduces sharing of logons and passwords

IAMUCLA Architecture URSA RATS MyUCLA Travel Express Financial Web Reports many other web apps ISIS/Shibboleth: Web Single Sign-On User logs in using UCLA Logon ID Enterprise Directory ED delivers user identity, groups, and permissions data via Shibboleth Permission Management Tools manages permissions once and replicates the same permissions data to non-web systems

At a Threshold New applications are emerging with new and large communities of users CCLE – Faculty & Students DAT – Faculty & Staff IWE – Students & Parents GRID – Researchers at UCLA & other campuses Clinical Research – Physicians & Students Research collaboration – Faculty & Students at UCLA and other campuses A window of opportunity for a new way to handle permissions

Project Impacts Strategic Underpins collaboration, group processes, interdisciplinary research and education, inter-industry and inter-institutional interactions Opens but manages the extension of campus resources to important associate members of the university Compliance Significantly improves ability to meet audit requirements Better reporting on access to FERPA and SB1386 protected data Reduced risk of major security/access breach System Lifecycle Necessity Critical mass of current projects represents opportunity to integrate now

Project Impacts Customer/User Impact Affects all UCLA faculty, students, staff Also affects parents, researchers and students at other campuses, etc. Workload Impact Reduced staff time handling provisioning/de-provisioning tasks Self-service delegation reduces access delays, improves user-experience Central support reduces developer overhead in projects; Improves help desks' ability to solve a user problem on "first call “ Financial/Fiscal Impact Not implementing now forces all applications to expend resources to invent their own permission management schemes separately. Retrofit will be far more costly.

Questions?

Permissions Management Examples of what happens now… Mainframe DACSS DSA departmental/financial hierarchy Value-based, explicit permissions DAT Academic delegation hierarchy Access by position in workflow Class Web Sites in Schools & College Download class rosters from SRDB Explicit permissions within the application

Before IAMUCLA Each application provides its own logon ID and password Each application maintains customized permission lists IDs and passwords often unencrypted, not audited Authentication & Authorization often not differentiated

What is Permissions Management? “ I don ’ t want to run around getting access to everything for my classes. I want what I need, where and when I need it. ” (Student)‏ “ I want to quickly grant my assistant access while I ’ m away rather than loan her my access! ” (PI)‏ “ I want to create a project group and when I invite someone to join that group, they immediately have all related access. ” … And “ When I join that group, I want immediate access to all relevant resources. ” (Collaborator)‏ “ I want to automatically give all students enrolled in CS143 access to my lab, the class web sites, and software in the lab. ” (Professor)‏ “ I want to run a review process in which students, faculty, staff and administrators review and approve different components and different points in the process. ” (Business manager) “ Before I terminate this person, I want to make sure all their current access is revoked throughout the campus. ” (Manager)‏