IDENTITY MANAGEMENT Presentation at EuroCAMP 2009-05-17 by Roland - - PowerPoint PPT Presentation

IDENTITY MANAGEMENT

Presentation at EuroCAMP 2009-05-17 by Roland Hedberg <roland.hedberg@adm.umu.se>

Tuesday, May 19, 2009

WHAT IS IDM ?

“Identity management is the management of the identity life cycle

• f entities.” --- wikipedia

Tuesday, May 19, 2009

LIFE CYCLE

Tuesday, May 19, 2009

STATE DIAGRAM, SIMPLIFIED

HR New employment

Not yet active Pending

Active End Grace

Tuesday, May 19, 2009

WHAT IS IDM ?

“Identity management is the management of the identity life cycle

• f entities.” --- wikipedia

Identity — the very essence of who we are and how we interact with others

Tuesday, May 19, 2009

WHO WE ARE

Tuesday, May 19, 2009

HOW WE INTERACT

Tuesday, May 19, 2009

WHAT IS IDM ?

“Identity management is the management of the identity life cycle

• f entities.” --- wikipedia

Identity — the very essence of who we are and how we interact with others Y

• u are who I say you are / I am whatever I say I am.

Tuesday, May 19, 2009

VIEWS MAY DIFFER

Tuesday, May 19, 2009

OUR NORMAL VIEW?

Tuesday, May 19, 2009

Tuesday, May 19, 2009

FRANCIS BACON

1561-1626

knowledge of the essence of things the way things really are Ideals of the mind ideal of the tribe (human nature) ideal of the cave (hobby horse, prejudice) ideal of the market place (social interaction, language) ideals of the theater (learned)

Tuesday, May 19, 2009

WHAT IS IDM ?

“Identity management is the management of the identity life cycle

• f entities.” --- wikipedia

Identity — the very essence of who we are and how we interact with others Y

• u are who I say you are / I am whatever I say I am.

Tuesday, May 19, 2009

THE INFORMATION

Who owns it ?

Responsibility Accountability Stability

What does it mean ?

Special / Universal Usage uncoupled from definition

Tuesday, May 19, 2009

NEXT STEP

Choose a central data representation that is rich and agile enough.

Tuesday, May 19, 2009

OBJECTS

PERSON PERSON

givenName Roland surName Hedberg title MSc Chemistry & Biology MSc Mechanical Engineering

UNIT UNIT

name IT-unit lin 7512

Telephone Telephone

extension 6844

Tuesday, May 19, 2009

OBJECTS AND RELATIONS WITH METADATA

PERSON PERSON

givenName Roland surName Hedberg title MSc Chemistry & Biology MSc Mechanical Engineering

UNIT UNIT

name IT-unit lin 7512

Employee Employee

position IT-achitect extent 100.00

• ne
• ther

email

Telephone Telephone

extension 6844

Relat RelatedTo

• ther
• ne

status active

Tuesday, May 19, 2009

CONSTRUCT VIEWS

Different applications - different needs

There are so many ways of doing things, that we can not mandate one.

LDAP/AD WS Provisioning

T ransformation between data models

Tuesday, May 19, 2009

LDAP VIEWS STRUCTURED RELATIONSSHIPS (I)

dc=se dc=umu cn=person cn=org

• u=admin

uid=rohe0002

• u=umdac

Tuesday, May 19, 2009

LDAP VIEWS STRUCTURED RELATIONSSHIPS (II)

dc=se dc=umu cn=person cn=org

• u=admin

uid=rohe0002

• u=umdac

cn=group

• u=consult
• u=production
• u=support

cn=members

Tuesday, May 19, 2009

LDAP VIEWS STRUCTURED RELATIONSSHIPS (III)

dc=se dc=liu

• u=students
• u=personell
• u=Linköpings

universitet

• u=org entries
• u=system accounts
• u=system groups
• u=nilsa77d
• u=unit-123

liuPositionIdentity=nilsa77d-ida-123-1 roleOccupant LiuOrgEntry

Tuesday, May 19, 2009

LDAP VIEW BY USE OF ATTRIBUTE OPTIONS

cn: Roland Hedberg givenName: Roland uid: rohe0002 telephoneNumber;x-emp-1: +46 90 786 68 44 telephoneNumber;x-emp-2: +46 90 786 52 14 mail;x-emp-1: roland.hedberg@adm.umu.se mail;x-emp-2: roland.hedberg@umdac.umu.se eduPersonPrincipalName: rohe0002@umu.se

Tuesday, May 19, 2009

REMAINING TASKS!

Confidentiality

Ensuring that information is accessible only to those authorised to have access

Integrity

Data cannot be modified without authorisation

Availability

The information must be available when it is needed

Correctness/Coherence

Tuesday, May 19, 2009

YOU NEED SOMETHING THAT CAN START LOOKING LIKE THIS .....

System MD System

Tuesday, May 19, 2009

.. AND END-UP LOOKING LIKE THIS, WHILE YOU STILL FEEL YOU HAVE EVERYTHING UNDER CONTROL !

Tuesday, May 19, 2009

HOW?

Set Strategy - A cohesive Identity Management strategy will set overall objectives and give guidance to individual projects or project phases. 1. Secure Sponsorship - Project sponsors must have a vested interest in the business objectives of the project, have spending and decision making authority, and retain a cross-functional view of the project. 2. Plan Quick Wins - By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits. 3. Select Project Leadership - Full-time, proactive project management is essential to the implementation of an identity management strategy. 4. Define Business Process - Organizations should define as many of the end-state business processes as possible prior to designing the technology solution. 5. Select Implementation Team - Identity projects should be staffed with qualified, experienced, motivated, and dedicated resources. 6. Gain Commitment from Supporting Resources - Owners and administrators of managed resources throughout the larger

• rganization must also be committed to identity management success.

7. Provide Proper Infrastructure - Investing in the proper technical environment for an Identity Mananagement project will ultimately pay off in reduced errors, more effective troubleshooting,and more efficient coordination of configuration components. 8. Assure Data Quality - Project managers should build time and resources into their project plans for an assessment of data quality and for remediation of any deficiencies. 9. Conduct Post Production Turnover - Following a formal process for post production turnover allows all parties to set proper expectations for ongoing support. http://blogs.sun.com/identity/entry/ten_best_practices_for_identity Tuesday, May 19, 2009