You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Terms

For the purposes of this topic (and the referenced documents) the following terms are defined:

Governance

This is a fairly broad area even within IT.  The focus of the term for this space is specifically on Identity and Access Management Governance, which may be a standalone set of committees and working groups in large institutions, a single committee of a larger IT Governance structure, or a subset of topics or priorities addressed by a single Governance body.

The purpose of IAM Governance is to establish or endorse policies that ...

Policy

Need Policy definition ...

Stakeholder

Need Stakeholder definition ...

Overview (problem description)

*** See Notes from ACAMP 2010 - IAM Governance Session

While Identity Management has always had an underlying need for a governance body to make decisions on policy around who should have accounts, how often to force a password change or what resources or applications can be accessed by an authenticated user, IAM Governance has become much more "critical" in the last few years as the scope of this field has expanded to include "Access Management".  Centralized authorization capability or at least the value-added feature(s) of assigning roles, groups and entitlements to subjects has pretty much required that institutions form groups of stakeholders to decide what "roles" are defined or how affiliates are classified, and subsequently what services these different populations get access to.  Even though the decision of who/what gets access is usually left up to the resource owner, the decision is more frequently being based on attributes provided by an Identity and Access Management System (IAMS).

This site will highlight how some universities have implemented IAM Governance to provide guidance and support (Policies) to the technology implementors of IAM components and systems, in an effort to provide a framework and tools (presentations, peer institution examples, etc.) to assist those institutions struggling with implementing their own IAM Governance.

Use Cases (examples)

Use cases in the context of IAM Governance is a bit different than in other topic areas.  The approach taken here is to list situations where there is a need to have some stakeholder group authorize or endorse a Policy or policy (formal or informal) or Business Practice, needed to implement some aspect of an Identity and Access Management System (IAMS).

  1. In order to assign an "affiliation value" (e.g. alumni, contractor, vendor, parent, library patron, researcher, guest, spouse, etc.) to certain populations of subjects that are not considered traditional members of the community - students, faculty and staff - a governance group of stakeholders (HR, Registrar, Audit, Safety, Legal, Library, Graduate School, Alumni Affairs, etc.) must establish a list of Affiliate values.  Subsequently, resource and application owners need to decide which affiliate groups can have access to their services and what privileges they have.  These policy decisions will then be incorporated into the IAM provisioning "rules" for populating roles, groups and entitlements related to these services.
  2. When a student leaves the university, their accounts and access to applications and services remain active until the help desk is notified they have left (e.g. withdrawn, expelled, graduated).  In order to tighten up the security of these "open" accounts the university administration has requested that student accounts be automatically disabled when they leave.  The details of what and when leaving "means" need to be defined and established as policy so that it can be technically implemented within the IAM system, and that the responsibility for this decision is owned by the Stakeholders of the Governance committee making the policy and not IT.
  3. (Similar situation to #2, but the subject is an Employee who is terminated or retires).  Again, the Governance body needs to define "when" access is disabled and for "what" services.  If the employee needs to retain access to payroll information (to obtain W2 information for tax purposes) but not have any access to Library Services, that needs to be decided upon so de-provisioning of access to the restricted services can take place according to what the policy states. 

Standards

What type of standards apply?

Case Studies and White Papers

  1.  Penn State Governance Council

Tools

  •  
  •  
  • No labels