Problem Statement
It has proved challenging to identify shareable patterns in
- How ERP-sourced data is brought into IAM infrastructures and
- How this data figures into the formation of access policies
These challenges proved insurmountable for TAP working groups on both Banner and Peoplsoft ERPs integration
Work Items
This task force will
- Start by building a short list of common services for which access is controlled
- Propose basic access policies for those services
- Look for commonalities in how campuses express those access policies in their Grouper Deployment.
The task Force may go on to uncover which ERP-sourced attribute types factor into the formulation of these access policies.
The extract and transform processing of raw ERP data is necessarily specific to the campus IT system components, so the Task Force will have to assume that each campus will solve that problem on its own. Task Force guidance will pick up the story at that point to suggest common practices for the formulation of the access policy and its representation in Grouper
Stakeholders
- Policy determination: It's complicated
- Custodians of ERPs (who do not always approach requests from an institutional perspective)
- Executive-level mandates (i.e. trump card holders)
- Data Governance Board (concern for data privacy issues focused here)
- Service or Resource "Owners" (does seem like they should have a say)
- Advocates of resource access for the people whose interests they proxy (to whom do they appeal?)
- Policy statements hidden in code and in databases, often partially unknown to anyone (source of much confusion)
- Department-level resource managers (highly decentralized)
- If all else fails, and it often does, Central IT and the IAM team end up defining and implementing the policies by default (double-plus ungood, but quite common)
- Policy-supporting IT Infrastructure managers/developers/staff
Deliverables
- Task Force guidelines and recommendations applicable to both RBAC and ABAC models of access control in Grouper