You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Background

As we begin to think about access management as a problem space, and we start to consider how we might begin to solve problems in the space, it can be easy to become overwhelmed with the magnitude of the space and the number of issues that may arise in it. Our goal during CAMP is to find ways of breaking down the problem space into somewhat more manageable parts, and to look at real-world methods for addressing those parts.

One way we may approach this breakdown is by articulating use cases, or as some would prefer to identify them, "user stories", depicting some of the common situations that call for access management solutions. By identifying use cases, we can not only start to define what the real-world needs our access management solutions need to address, but also (perhaps with a bit of work and some good luck) begin to find some of the common features of use cases in disparate areas of our organizations. It's those common features that may eventually lead us to common solutions, which can in turn chip away at the otherwise daunting monolith of access management.

To get us started thinking about the access management problem space and provide some background for discussions at CAMP, we've put together a collection of use cases or "user stories" that represent some of the most common types of access management problems many of us are confronted with. We'll go into more detail about a few of these on the first afternoon of CAMP. Many of these use cases are derived from the results of a survey conducted in late 2008 at Duke University (with support from Internet2 and Educause) privilege management – the final report of that survey's results is available online at http://www.duke.edu/~rob/PrivManSurvey/I2_PM_Survey_Final_Report.pdf. Others are representative of use cases members of the program committee have identified on their own campuses, or use cases reported by participants in the Internet2 MACE-paccman effort.

Business Operations Use Cases

Like any large organization, colleges and universities must manage employees and finances, purchase equipment and services, and maintain records for their own internal and for external (or regulatory) purposes. A host of access management use cases arise in our business units, many of which share strong similarities to equivalent use cases in the private sector, but some of which may differ as a result of qualitative differences in the way our institutions conceptualize institutional business processes. Here are some representative use cases that evolve from the business operations environment:

  1. Sarah is the new Director of Facilities Management. As the Director, she has the authority within the institutional ERP system to manage the access rights afforded to other individuals with respect to fund codes within Facilities Management. The Director wishes to have her administrative assistant process monthly budget reconciliation statements for her non-salary fund codes, but wishes to manage her salary fund codes directly. She explicitly grants her administrative assistant access to read and reconcile transactions against her non-salary fund codes in the ERP, but leaves herself as the sole individual with access to her salary fund codes.
  2. Gina, an administrative assistant in the Department of Chemistry, vacates her position in the department to take a new position in the Office of the Comptroller. Gina has been the department's payroll clerk for a number of years. The department chair chooses his executive assistant, Marcus, to take over as payroll clerk for the department. As payroll clerk, Marcus will need access to sensitive payroll information about non-exempt employees in the department, but will not need access to faculty salary information or student records. The department chair logs into an access management system and designates Marcus as the new payroll clerk for the Department of Chemistry. In so doing, he grants Marcus a collection of rights within various financial applications appropriate for a departmental payroll clerk in his department, and Gina (who is still employed by the university and still recognized by the authorization system as a user) has her payroll clerk privileges for the Chemistry department revoked.
  3. Richard is the institutions Vice President of Public Safety, and as such, he is authorized within an emergency notification system to approve Clery Act notifications which will be sent via multiple venues to the entire campus community. Richard schedules a two week vacation in Europe. He delegates his Clery role to the Chief of Campus Police, Trish, during his two week absence, allowing her to approve Clery notices in his stead. When a pair or armed robberies is reported outside a student dormitory one week later, Trish is able to approve a Clery notification for distribution on Richard's behalf. Upon his return from vacation, Richard revokes the delegation of his Clery role, and Trish loses her ability to approve Clery notices in the system.
  4. A university's HR department offers a health and wellnes program for university staff and faculty. The program is entirely voluntary. Participation requires a commitment by the employee to engage in a short online health awareness exercise, in return for which the university offers participants discounts on services at the university health club as well as periodic special offers from area business deemed by the university to be offering wellness-supporting services. A new employee in the physical plant hears about the program during an HR orientation and visits a web site to sign up. Once enrolled in the program, the employee has access to the program's web portal and receives weekly email reminders about training opportunities and special offers.
  5. Business rules within a college require that travel reimbursements in excess of $1,500 per diem be approved by the traveler's immediate supervisor or someone in the supervisor's management chain and countersigned by an agent from the college's Accounting office. Martha, the Assistant Director of International Relations, returns from a business trip to Switzerland and files a travel reimbursement form attesting to $1,800 in expenses on the final day of the trip. The reimbursements system routes his last day's request to the Director, who approves it in the system. The system then routes the approved request to the Accounting office, where it is checked by a member of the Accounting office's travel reimbursements team. Only after the expense report is authorized by the Accounting office does the system issue a reimbursement check to Martha for the $1,800.
  6. The Housekeeping Office decides to do away with their legacy paper-based PTO tracking system and begin using an online PTO system managed by the central IT group on campus. The new system provides, among other features, a combined calendar view of staff time off, holidays, and major campus events (so that employees may make more informed decisions about vacation scheduling). The system accesses group information derived from authoritative sources in HR and Payroll to associate individuals with their departments, and grants access to department-limited views of the combined calendar to all employees in each department. When Housekeeping begins using the online system, staff in the department are automatically granted access to a Housekeeping view of the combined calendar, listing the schedules of employees in Housekeeping along with University-wide events and holidays. As new employees arrive in the department, they are automatically added to the appropriate departmental group and gain access to the departmental calendar in the PTO system.
  7. The University Compliance Office requires that all employees in specific job categories identified as having potential interaction with sensitive financial information (such as employee bank routing information or staff payroll information) complete an online training module on current procedures for securing sensitive information and attest to their agreement to follow documented University regulations. The system stores information in the institutional identity management repository indicating the date when an employee last completed the online training module, and periodically sends notices to individuals whose training is more than one year out of date and who still work in covered job categories. The training system grants access to the module automatically to employees whose IdM data indicate that they meet the criteria for completing the instructional module. Other applications that traffic in sensitive financial information include the currency of employee's training when making authorization decisions.
  8. The Trustees share access to a secure wiki site where information regarding major capital projects being undertaken by the University is housed and discussed. One member of the board notices that in an upcoming meeting there will be a discussion of possible plans to sell some University land at auction to raise funding for a new building project. As a member of the local zoning commission, the Trustee must recuse himself from the discussion. The University secretary explicitly revokes the Trustee's access to the specific portion of the wiki related to the discussion of the real estate transaction in order to avoid any appearance of conflict.
  9. A Systems Administrator in the Computer Science department is terminated abruptly for egregious violation of University harassment regulations. When the employee is terminated, University policy states that his access to core services and systems must be terminated within 48 hours, and automated processes are in place to ensure compliance with that policy by removing the employee's access to systems throughout the institution. The automatic processes are triggered as overnight batch processes in order to avoid possible service interruptions during normal business hours. The Chair of the CS department, however, has reason to believe that the terminated employee may intend to do some mischief before his access is disabled, so to protect departmental systems, he contacts the IT Security Officer and requests an exceptional authorization change. The ITSO logs into a privileging system and, using rights granted to him by his functional role as ITSO, places an administrative block on all privileges afforded to the terminated employee, and triggers an immediate update of access rules on core systems and CS Departmental systems. Three hours later, the terminated employee attempts to log into the CS department's mail server and delete his accuser's account, but is denied access due to the ITSO's manual override. Overnight, the nightly batch run removes the user's access rights in all systems, making the ITSO's manual override unnecessary. The next morning the ITSO removes his manual override from the system.
  10. A new software engineer is hired by the Administrative Computing group. His addition to the staff automatically provisions him with an electronic identity and with access to some common productivity tools, etc., shared by all staff members. On his first day at work, his manager logs into an access management interface and adds the new employee to a group constructed to identify programmers working on a new Purchasing system. This automatically provisions with the new engineer with read access to the code repository for the Purchasing system, but does not automatically grant him write access to the repository. The first time the new engineer attempts to commit changes to to ehcode repository, a workflow is triggered which notifies the project manager overseeing the coding project. The PM reviews the new engineer's credentials and his attempted change, and determines that the new engineer should be granted commit rights in the repository. Once the PM authorizes his commit rights, the new engineer is able to modify code within the Purchasing system.
  11. A University budgeting system implements an hierarchy-based policy for budgetary approvals, in which budgets for organizational subunits are submitted by their respective managers and approved by their department heads, who in turn submit thier combined budgets (along with their own offices' discretionary budgets) for approval to school or divisional managers, who in turn pass their combined budgets to senior administrators and ultimately to the CFO for approval. The scope of budget approval authority granted any given manager in the system is controlled by the organizational unit the manager is charged with overseeing. The authority who must approve any given manager's budget is dictated by the organizational hierarchy, which is represented in the system with hierarchical groupings of subunits, departments, and divisions. In the event that a given approver is unavailable for any reason, any authority at a point closer to the top of the hierarchy may issue approvals in his or her stead. When the Director of Transportation is out on childcare leave during budget finalization, it falls to the Assistant VP of Auxiliaries to approve both the Director's discretionary budget and the budgets of her subordinate managers for the Parking Office, the Campus Transit Authority, and the Traffic Control Office.
  12. At that same University, the budgeting system eventually encounters a new interdisciplinary program in Genomics that comprises faculty and staff from a number of different departments spanning multiple schools and colleges. The Program Director submits budget into the system, but since the program is not part of any officially recognized school or division, the Director's budget is routed all the way to the Provost for approval.
  13. An employee is separated from the institution due to a RIF in her department. HR rules require that she retain access to the campus HR portal and to career development resources for 90 days following her separation to facilitate her transition into a new position (whether internal or external). The campus access management system notices her separation and removes her from all active employee groups and roles, thus denying her access to most staff-accessible systems on campus. She is automatically granted specific access to the HR portal and the career center library system for 90 days. At the end of the 90-day grace period, her rights in those two systems automatically expire.
  14. An incident involving the possible misuse of a University purchasing card to acquire an item of jewelery is being investigated by Internal Audit. The investigator requests a report from the purchasing system of when and by whom the specific purchase was approved, and finds that the purchase was approved by an administrative assistant with authority to approve purchases only up to $500. The investigator then retrieves a report from the access management system of all privileges previously assigned to the administrative assistant, and finds that on the date the purchase was approved, the employee was granted approval rights up to $5,000 for a period of four hours. The investigator notes in the audit log that the assistant's manager – the Assistant Director of Finance – had granted those rights to her. After further investigation, it is determined that the Assistant Director had granted those rights to her assistant in violation of University regulations, and had then directed her to approve the purchase in an attempt to avoid its being detected by the auditors. Both the Assistant Director and her assistant undergo disciplinary action as a result of the incident.

Academic and Research Use Cases

While many of the use cases we find within business units at our institutions may mirror similar cases in private industry, another collection of use cases are more unique to the higher education sector. The academic use cases exist only in educational contexts, but on thorough inspection, many of them may bear strong resemblance to use cases in other sectors, including the business operations cases outlined above. Here's a sampling of use cases found within research and pedagogy.

  1. Professor Smith, of the Department of Pharmacology in the Medical School, is researching the chemistry of snake venom to determine whether certain components of various snakes' venom may be useful in the management of chronic pain. Professor Jones, in the Department of Genetics, has recently completed a mapping of the genome of one particular species of cobra, and after reading an article by Professor Smith on that cobra's venom, offers to share his research results with him. Professor Jones explicitly grants access to his cobra genetics notes in the Genetics Faculty wiki to Professor Smith, who uses Professor Jones' research to further his analysis of the components of the particular cobra's venom.
  2. A faculty member in the Department of Physics arranges to have one of his better undergraduate students from the previous semester act as a lab assistant for his structural dynamics class. He adds the "lab instructor" role for Physics 108 to the student's profile in the LMS and the student automatically gains access to lab teaching materials and student lab reports for the course.
  • No labels