Organizations as Subjects
Elizabeth Salley, University of Michigan
University of Michigan has recently rolled out a sponsor system for managing affiliates.
Units around campus define the person who is an authority. That authority can delegeate to one or more person in their area.
A person must be a current regular U-M employee to be an administrator on the system. Must have completed the admin. access and compliance training and must attest to be a good steward of the system. The med center has their own very robust IdM system.
When the University of Michigan moved from a human home-grown system into web services, there was a need to think through requirements again.
Q: So a trust relationship had to be established with the Medical Center to do this. Did you have to build a policy infrastructure?
A: Yes, our developers of this web service originally designed a very complicated way of enforcing this trust relationship.
But a short term solution was just a signed agreement between the two organizations.
Tried to keep it simple. Will have more of these and will try to find a better way of encoding this into the system for future partnerships.
Q: So medical center is responsible for auditing changes?
A: We track the fact that the medical center made a particular change. We assume that the medical center captures more details to the level required for them.