You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Background

As we begin to think about access management as a problem space, and we start to consider how we might begin to solve problems in the space, it can be easy to become overwhelmed with the magnitude of the space and the number of issues that may arise in it. Our goal during CAMP is to find ways of breaking down the problem space into somewhat more manageable parts, and to look at real-world methods for addressing those parts.

One way we may approach this breakdown is by articulating use cases, or as some would prefer to identify them, "user stories", depicting some of the common situations that call for access management solutions. By identifying use cases, we can not only start to define what the real-world needs our access management solutions need to address, but also (perhaps with a bit of work and some good luck) begin to find some of the common features of use cases in disparate areas of our organizations. It's those common features that may eventually lead us to common solutions, which can in turn chip away at the otherwise daunting monolith of access management.

To get us started thinking about the access management problem space and provide some background for discussions at CAMP, we've put together a collection of use cases or "user stories" that represent some of the most common types of access management problems many of us are confronted with. We'll go into more detail about a few of these on the first afternoon of CAMP. Many of these use cases are derived from the results of a survey conducted in late 2008 at Duke University (with support from Internet2 and Educause) privilege management – the final report of that survey's results is available online at http://www.duke.edu/~rob/PrivManSurvey/I2_PM_Survey_Final_Report.pdf. Others are representative of use cases members of the program committee have identified on their own campuses, or use cases reported by participants in the Internet2 MACE-paccman effort.

Business Operations Use Cases

Like any large organization, colleges and universities must manage employees and finances, purchase equipment and services, and maintain records for their own internal and for external (or regulatory) purposes. A host of access management use cases arise in our business units, many of which share strong similarities to equivalent use cases in the private sector, but some of which may differ as a result of qualitative differences in the way our institutions conceptualize institutional business processes. Here are some representative use cases that evolve from the business operations environment:

  1. Sarah is the new Director of Facilities Management. As the Director, she has the authority within the institutional ERP system to manage the access rights afforded to other individuals with respect to fund codes within Facilities Management. The Director wishes to have her administrative assistant process monthly budget reconciliation statements for her non-salary fund codes, but wishes to manage her salary fund codes directly. She explicitly grants her administrative assistant access to read and reconcile transactions against her non-salary fund codes in the ERP, but leaves herself as the sole individual with access to her salary fund codes.
  2. Gina, an administrative assistant in the Department of Chemistry, vacates her position in the department to take a new position in the Office of the Comptroller. Gina has been the department's payroll clerk for a number of years. The department chair chooses his executive assistant, Marcus, to take over as payroll clerk for the department. As payroll clerk, Marcus will need access to sensitive payroll information about non-exempt employees in the department, but will not need access to faculty salary information or student records. The department chair logs into an access management system and designates Marcus as the new payroll clerk for the Department of Chemistry. In so doing, he grants Marcus a collection of rights within various financial applications appropriate for a departmental payroll clerk in his department, and Gina (who is still employed by the university and still recognized by the authorization system as a user) has her payroll clerk privileges for the Chemistry department revoked.
  3. Richard is the institutions Vice President of Public Safety, and as such, he is authorized within an emergency notification system to approve Clery Act notifications which will be sent via multiple venues to the entire campus community. Richard schedules a two week vacation in Europe. He delegates his Clery role to the Chief of Campus Police, Trish, during his two week absence, allowing her to approve Clery notices in his stead. When a pair or armed robberies is reported outside a student dormitory one week later, Trish is able to approve a Clery notification for distribution on Richard's behalf. Upon his return from vacation, Richard revokes the delegation of his Clery role, and Trish loses her ability to approve Clery notices in the system.
  4. A university's HR department offers a health and wellnes program for university staff and faculty. The program is entirely voluntary. Participation requires a commitment by the employee to engage in a short online health awareness exercise, in return for which the university offers participants discounts on services at the university health club as well as periodic special offers from area business deemed by the university to be offering wellness-supporting services. A new employee in the physical plant hears about the program during an HR orientation and visits a web site to sign up. Once enrolled in the program, the employee has access to the program's web portal and receives weekly email reminders about training opportunities and special offers.
  5. Business rules within a college require that travel reimbursements in excess of $1,500 per diem be approved by the traveler's immediate supervisor or someone in the supervisor's management chain and countersigned by an agent from the college's Accounting office. Martha, the Assistant Director of International Relations, returns from a business trip to Switzerland and files a travel reimbursement form attesting to $1,800 in expenses on the final day of the trip. The reimbursements system routes his last day's request to the Director, who approves it in the system. The system then routes the approved request to the Accounting office, where it is checked by a member of the Accounting office's travel reimbursements team. Only after the expense report is authorized by the Accounting office does the system issue a reimbursement check to Martha for the $1,800.
  6. The Housekeeping Office decides to do away with their legacy paper-based PTO tracking system and begin using an online PTO system managed by the central IT group on campus. The new system provides, among other features, a combined calendar view of staff time off, holidays, and major campus events (so that employees may make more informed decisions about vacation scheduling). The system accesses group information derived from authoritative sources in HR and Payroll to associate individuals with their departments, and grants access to department-limited views of the combined calendar to all employees in each department. When Housekeeping begins using the online system, staff in the department are automatically granted access to a Housekeeping view of the combined calendar, listing the schedules of employees in Housekeeping along with University-wide events and holidays. As new employees arrive in the department, they are automatically added to the appropriate departmental group and gain access to the departmental calendar in the PTO system.
  7. The University Compliance Office requires that all employees in specific job categories identified as having potential interaction with sensitive financial information (such as employee bank routing information or staff payroll information) complete an online training module on current procedures for securing sensitive information and attest to their agreement to follow documented University regulations. The system stores information in the institutional identity management repository indicating the date when an employee last completed the online training module, and periodically sends notices to individuals whose training is more than one year out of date and who still work in covered job categories. The training system grants access to the module automatically to employees whose IdM data indicate that they meet the criteria for completing the instructional module. Other applications that traffic in sensitive financial information include the currency of employee's training when making authorization decisions.
  8. The Trustees share access to a secure wiki site where information regarding major capital projects being undertaken by the University is housed and discussed. One member of the board notices that in an upcoming meeting there will be a discussion of possible plans to sell some University land at auction to raise funding for a new building project. As a member of the local zoning commission, the Trustee must recuse himself from the discussion. The University secretary explicitly revokes the Trustee's access to the specific portion of the wiki related to the discussion of the real estate transaction in order to avoid any appearance of conflict.
  9. A Systems Administrator in the Computer Science department is terminated abruptly for egregious violation of University harassment regulations. When the employee is terminated, University policy states that his access to core services and systems must be terminated within 48 hours, and automated processes are in place to ensure compliance with that policy by removing the employee's access to systems throughout the institution. The automatic processes are triggered as overnight batch processes in order to avoid possible service interruptions during normal business hours. The Chair of the CS department, however, has reason to believe that the terminated employee may intend to do some mischief before his access is disabled, so to protect departmental systems, he contacts the IT Security Officer and requests an exceptional authorization change. The ITSO logs into a privileging system and, using rights granted to him by his functional role as ITSO, places an administrative block on all privileges afforded to the terminated employee, and triggers an immediate update of access rules on core systems and CS Departmental systems. Three hours later, the terminated employee attempts to log into the CS department's mail server and delete his accuser's account, but is denied access due to the ITSO's manual override. Overnight, the nightly batch run removes the user's access rights in all systems, making the ITSO's manual override unnecessary. The next morning the ITSO removes his manual override from the system.
  10. A new software engineer is hired by the Administrative Computing group. His addition to the staff automatically provisions him with an electronic identity and with access to some common productivity tools, etc., shared by all staff members. On his first day at work, his manager logs into an access management interface and adds the new employee to a group constructed to identify programmers working on a new Purchasing system. This automatically provisions with the new engineer with read access to the code repository for the Purchasing system, but does not automatically grant him write access to the repository. The first time the new engineer attempts to commit changes to to ehcode repository, a workflow is triggered which notifies the project manager overseeing the coding project. The PM reviews the new engineer's credentials and his attempted change, and determines that the new engineer should be granted commit rights in the repository. Once the PM authorizes his commit rights, the new engineer is able to modify code within the Purchasing system.
  11. A University budgeting system implements an hierarchy-based policy for budgetary approvals, in which budgets for organizational subunits are submitted by their respective managers and approved by their department heads, who in turn submit thier combined budgets (along with their own offices' discretionary budgets) for approval to school or divisional managers, who in turn pass their combined budgets to senior administrators and ultimately to the CFO for approval. The scope of budget approval authority granted any given manager in the system is controlled by the organizational unit the manager is charged with overseeing. The authority who must approve any given manager's budget is dictated by the organizational hierarchy, which is represented in the system with hierarchical groupings of subunits, departments, and divisions. In the event that a given approver is unavailable for any reason, any authority at a point closer to the top of the hierarchy may issue approvals in his or her stead. When the Director of Transportation is out on childcare leave during budget finalization, it falls to the Assistant VP of Auxiliaries to approve both the Director's discretionary budget and the budgets of her subordinate managers for the Parking Office, the Campus Transit Authority, and the Traffic Control Office.
  12. At that same University, the budgeting system eventually encounters a new interdisciplinary program in Genomics that comprises faculty and staff from a number of different departments spanning multiple schools and colleges. The Program Director submits budget into the system, but since the program is not part of any officially recognized school or division, the Director's budget is routed all the way to the Provost for approval.
  13. An employee is separated from the institution due to a RIF in her department. HR rules require that she retain access to the campus HR portal and to career development resources for 90 days following her separation to facilitate her transition into a new position (whether internal or external). The campus access management system notices her separation and removes her from all active employee groups and roles, thus denying her access to most staff-accessible systems on campus. She is automatically granted specific access to the HR portal and the career center library system for 90 days. At the end of the 90-day grace period, her rights in those two systems automatically expire.
  14. An incident involving the possible misuse of a University purchasing card to acquire an item of jewelery is being investigated by Internal Audit. The investigator requests a report from the purchasing system of when and by whom the specific purchase was approved, and finds that the purchase was approved by an administrative assistant with authority to approve purchases only up to $500. The investigator then retrieves a report from the access management system of all privileges previously assigned to the administrative assistant, and finds that on the date the purchase was approved, the employee was granted approval rights up to $5,000 for a period of four hours. The investigator notes in the audit log that the assistant's manager – the Assistant Director of Finance – had granted those rights to her. After further investigation, it is determined that the Assistant Director had granted those rights to her assistant in violation of University regulations, and had then directed her to approve the purchase in an attempt to avoid its being detected by the auditors. Both the Assistant Director and her assistant undergo disciplinary action as a result of the incident.

Academic and Research Use Cases

While many of the use cases we find within business units at our institutions may mirror similar cases in private industry, another collection of use cases are more unique to the higher education sector. The academic use cases exist only in educational contexts, but on thorough inspection, many of them may bear strong resemblance to use cases in other sectors, including the business operations cases outlined above. Here's a sampling of use cases found within research and pedagogy.

  1. Professor Smith, of the Department of Pharmacology in the Medical School, is researching the chemistry of snake venom to determine whether certain components of various snakes' venom may be useful in the management of chronic pain. Professor Jones, in the Department of Genetics, has recently completed a mapping of the genome of one particular species of cobra, and after reading an article by Professor Smith on that cobra's venom, offers to share his research results with him. Professor Jones explicitly grants access to his cobra genetics notes in the Genetics Faculty wiki to Professor Smith, who uses Professor Jones' research to further his analysis of the components of the particular cobra's venom.
  2. A faculty member in the Department of Physics arranges to have one of his better undergraduate students from the previous semester act as a lab assistant for his structural dynamics class. He adds the "lab instructor" role for Physics 108 to the student's profile in the learning management system (LMS) and the student automatically gains access to lab teaching materials and student lab reports for the course.
  3. A university uses its LMS to handle mid-term grade reporting – faculty enter grades for assignments and mid-term quizzes and exams in the LMS, where students can review them online and track their progress until the end of the term. The LMS automatically assigns grade entry privileges to instructors (as identified by the student registration system). Professor Gamow chooses to have one of his graduate students act as TA for his EM Fields course and delegates his grade reporting privileges in the LMS to his student. The student is then able to report grades for students in the EM Fields class within the LMS. When final grades are due, Professor Gamow reports them to the Registrar based on information previously reported in the LMS.
  4. A university's central IT organization operates an authorization service used by all its colleges and schools to manage access rights within a shared faculty management application. Central IT staff find themselves spending increasing time entering role and permission changes on behalf of the schools. Central IT staff us a delegation mechanism built ino the authorization facility to grant administrative staff in each School direct acess to authorization rules for resources within their Schools, relieving them of workload and distributing decision-making authority to resource owners.
  5. Under federal regulations, certain educational records information about studnets may be categorized as "directory information" and may be disclosed by institutions without prior consent from students. Students reserve the right under FERPA, however, to have disclosure of their directory information blocked upon request. An undergraduate Engineer becomes concerned that a high-school acquaintance may be stalking her, and wishes to have her contact information (name, address, email address, telephone number) blocked from view. The university considers those data elements to be directory information under FERPA, and discloses them by default. The student visits a FERPA portal system and marks those data elements as FERPA protected information in her records. Subsequently, applications that access student educational informaiton and IdM data about students refuse to allow access to the student's contact information except when the requestor is identified as having an academic need to see the information.
  6. A BME student in her senior year signs up for Professor Jones' popular seminar on biomedical research ethics. As a BME upperclassman, the registration system allows her to sign up directly. Her roommate, a pre-med student majoring in Public Policy, attempts to sign up for the same course, but becuase of rules applied to the course in the registration system, the second student's registration for the course is suspnded, and the system sends an approval report to Professor Jones. Having spoken with the student beforehand, the professor is prepared for the request, and authorizes it in the registration system. The pre-med student is enrolled in the class.
  7. Professor Pilkey wants to grant access to a blog he maintains about his research into the effects of pollution on shallow-water marine invertebrates to students in his Wetlands Ecology course. The campus IdM system automatically places students in course-specific groups based on their enrollment in specific sections of specific courses. The blogging software supports LDAP-based groups, so Professor Pilkey grants access to his blog to the members of the "ECO 212 Students" group.
  8. Career Counselling Services arranges to have an online course in effective interviewing techniques made available to students who meet specific criteria – those who are expected to graduate within one year and who are in degree-seeking programs (part-time and inter-institutional students are excluded). The vendor providing the online course materials requires that the center make a good faith effort to limit access to those students. The center arranges to grant access to any student whose expected date of graduation is less than one year in the future and whose identity information indicates she is a full-time student.
  9. In a shared filespace, a faculty member desires to grant read access to course materials to both his students and his TAs, write-only access to a dropbox or his students, and read-only access to the dropbox for his TAs. The file server consumes group information from the identity management system to enable the faculty member to grant read to the course materials for his students, but because only the faculty member knows the identity of his TAs, he manually adds the TAs one by one to an access whitelist for the shared filespace.
  10. A faculty member in Education working for the Provost's office on a multi-year effort to enhance undergraduate instruction is researching the effectiveness of different pedagogical strategies in teh trecaching of new foreign languages to non-language majors. He develops a survey which he wants instructors teaching introductory language classes in all foreign language deparments to respond to. He grants permission to access the survey to faculty members and graduates students identified as instructors in at least one section of a 0-level foreign language course. The Registrar later grants him access to depersonalized grade information from 0-level foreign language classes to complete his research.
  11. A web-based faculty management and promotion system needs to grant access to faculty CVs and evaluations in a way that reflects the institutional academic hierarchy. Professor Jones is both an instructor in the department of Microbiology and the Chair of the department. As a department chair, Professor Jones has access both to his own CV and to the CVs and evaluations of all faculty within the department. Professor Johnson is the Dean of Basic Sciences, and teaching faculty in the Anatomy department. Because Microbiology is part of the Division of Basic Sciences, Dean Johnson has access to professor Jones' CV and evaluation reports, as well as to all the CVs and evaluations of faculty in Microbiology and other departments within the division. She has access to her own CV as a faculty member, but not to the CVs of faculty in other parts of the School of Medicine. Dean Hillard is the Dean of Medicine, and has acccess to all faculty information in the School.
  12. Professor Hausmann teaches four sections of Basic Anatomy in the Medical School, one of which is cross-listed in Comparative Biology and co-taught by Professor Biggs. In conjunction with an LMS system, the university provides shared filespace for instructors to use in their courses. By default, instructors are given one shared directory for each course they teach and one subdirectory for each section of each course. Professor Hausmann is grnated full privileges in a top-level shared directory for his Basic Anatomy course (BA4401) and in subdirectories for each of the four sections of the cours (BA4401S1 thru BA4401S4). Students in each section are given read access to the BA4401 directory and to their individual sectional subdirectories, but not to other sectional subdirectories. Professor Biggs is automatically granted full access to the BA4401S4 subdirectory, which is also referenced through a filesystem link as CBIO410S1. Students enrolled in the cross list have access to the one subdirectory and the BA4401 super-directory.
  13. A new graduate student matriculates in Biochemistry and as a result is granted card access to the Chemistry and Biology buildings and all departmental areas except a Class 2 pathogen lab in the basement of the Biology building. Access to that lab is contingent upon completion of a rigorous course in safe handling of Class 2 human pathogens and the operation of the labs safety equipment. The graduate student completes the course a week after matriculation and once the occupational health and safety office updates his IdM information to indicate that he is in compliance with the requirement, his card grants him access to the lab automatically. Six months later, his compliance comes due for renewal, and he's notified that he must complete a refresher course to continue his access to the lab. Having completed the only course involving use of the Class 2 lab he plans to take, he chooses not to renew his certification, and as it lapses, his card access to the lab is revoked.
  14. Professor Stedman's Marketing 304 course culminates in a final project which is to be submitted electronically by each student no later than 5pm on the last day of class. A student in the class fails to submit his final project on time an reports that he was denied access to the class dropbox when he attempted to submit his assignment. The instructor is suspicious and retrieves audit logs from the LMS which indicate that the student was indeed denied access to the dropbox at 4:45 on the appointed day. Enlisting the assistance of his IT support staff, Professor Stedman finds that the student was removed from the Marketing 304 Student group that morning, and reinstated in the group the following morning. Further investigation by the IT staff determines that a failure in the university registration system had caused truncation of the student list for Marketing 304 and caused the student in question to be errantly reported as not enrolled in the course for approxinately 24 hours. In light of these facts, Professor Stedman grants the student an extension and allows the student to submit his final project for full credit.

Miscellaneous Use Cases

  • No labels