Date: Thu, 28 Mar 2024 10:35:20 +0000 (UTC)
Message-ID: <2146189200.6125.1711622120912@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_6124_1153214926.1711622120911"
------=_Part_6124_1153214926.1711622120911
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Background
Business Operations Use Cases
Academic and Research Use Cases=
a>
Residential Life Use Cases
Library Use Cases
Medical Center User Cases<=
br>Gue=
sts and Non-Traditional Affiliates Use Cases
=
Background
As we begin to think about access management as a problem space, and we =
start to consider how we might begin to solve problems in the space, it can=
be easy to become overwhelmed with the magnitude of the space and the numb=
er of issues that may arise in it. Our goal during CAMP is to find ways of =
breaking down the problem space into somewhat more manageable parts, and to=
look at real-world methods for addressing those parts.
One way we may approach this breakdown is by articulating use cases, or =
as some would prefer to identify them, "user stories", depicting some of th=
e common situations that call for access management solutions. By identifyi=
ng use cases, we can not only start to define the real-world requirements o=
ur access management solutions need to address, but also (perhaps with a bi=
t of work and some good luck) begin to find some of the common features of =
use cases in disparate areas of our organizations. It's those common featur=
es that may eventually lead us to common solutions, which can in turn chip =
away at the otherwise daunting monolith of access management.
To get us started thinking about the access management problem space and=
provide some background for discussions at CAMP, we've put together a coll=
ection of use cases or "user stories" that represent some of the most commo=
n types of access management problems many of us are confronted with. We'll=
go into more detail about a few of these on the first afternoon of CAMP. M=
any of these use cases are derived from the results of a survey conducted i=
n late 2008 at Duke University (with support from Internet2 and Educause) p=
rivilege management - the final report of that survey's results is availabl=
e online at http://www.duke.edu/~rob/PrivManS=
urvey/I2_PM_Survey_Final_Report.pdf. Others are representative of use c=
ases members of the program committee have identified on their own campuses=
, or use cases reported by participants in the Internet2 MACE-paccman effor=
t.
Business Operations Use Cases
Like any large organization, colleges and universities must manage emplo=
yees and finances, purchase equipment and services, and maintain records fo=
r their own internal and for external (or regulatory) purposes. A host of a=
ccess management use cases arise in our business units, many of which share=
strong similarities to equivalent use cases in the private sector, but som=
e of which may differ as a result of qualitative differences in the way our=
institutions conceptualize institutional business processes. Here are some=
representative use cases that evolve from the business operations environm=
ent:
- Budget Access by Director and Assistant - Sarah is the=
new Director of Facilities Management. As the Director, she has the author=
ity within the institutional ERP system to manage the access rights afforde=
d to other individuals with respect to fund codes within Facilities Managem=
ent. The Director wishes to have her administrative assistant process month=
ly budget reconciliation statements for her non-salary fund codes, but wish=
es to manage her salary fund codes directly. She explicitly grants her admi=
nistrative assistant access to read and reconcile transactions against her =
non-salary fund codes in the ERP, but leaves herself as the sole individual=
with access to her salary fund codes. (Single authority identified by =
organizational hierarchy grants by fiat to single subject multiple privileg=
es on a single target resource constrained by resource scoping)
- Old and New Payroll Clerks - Gina, an administrative a=
ssistant in the Department of Chemistry, vacates her position in the depart=
ment to take a new position in the Office of the Comptroller. Gina has been=
the department's payroll clerk for a number of years. The department chair=
chooses his executive assistant, Marcus, to take over as payroll clerk for=
the department. As payroll clerk, Marcus will need access to sensitive pay=
roll information about non-exempt employees in the department, but will not=
need access to faculty salary information or student records. The departme=
nt chair logs into an access management system and designates Marcus as the=
new payroll clerk for the Department of Chemistry. In so doing, he grants =
Marcus a collection of rights within various financial applications appropr=
iate for a departmental payroll clerk in his department, and Gina (who is s=
till employed by the university and still recognized by the authorization s=
ystem as a user) has her payroll clerk privileges for the Chemistry departm=
ent revoked. (Single authority identified organizational hierarchy gran=
ts multiple related privileges collected by role on multiple target resourc=
es to single subject and revokes mulitpl=
e related privileges collected by role on multiple target resources from si=
ngle subject)
- Clery Notification - Richard is the institutions Vice =
President of Public Safety, and as such, he is authorized within an emergen=
cy notification system to approve Clery Act notifications which will be sen=
t via multiple venues to the entire campus community. Richard schedules a t=
wo week vacation in Europe. He delegates his Clery role to the Chief of Cam=
pus Police, Trish, during his two week absence, allowing her to approve Cle=
ry notices in his stead. When a pair or armed robberies is reported outside=
a student dormitory one week later, Trish is able to approve a Clery notif=
ication for distribution on Richard's behalf. Upon his return from vacation=
, Richard revokes the delegation of his Clery role, and Trish loses her abi=
lity to approve Clery notices in the system. (Single authority identifi=
ed by organizational hierarchy transfers privileges by fiat to a single sub=
ject designee on a single resource constrained by an absolute time limit)=
em>
- Wellness Program Participation - A university's HR dep=
artment offers a health and wellness program for university staff and facul=
ty. The program is entirely voluntary. Participation requires a commitment =
by the employee to engage in a short online health awareness exercise, in r=
eturn for which the university offers participants discounts on services at=
the university health club as well as periodic special offers from area bu=
siness deemed by the university to be offering wellness-supporting services=
. A new employee in the physical plant hears about the program during an HR=
orientation and visits a web site to sign up. Once enrolled in the program=
, the employee has access to the program's web portal and receives weekly e=
mail reminders about training opportunities and special offers. (Multip=
le subjects act as authorities self-selecting to opt themselves into multip=
le privileges on multiple, federated target resources with affiliation and =
prerequisite constraints.)
- Travel Reimbrsement Approvals - Business rules within =
a college require that travel reimbursements in excess of $1,500 per diem b=
e approved by the traveler's immediate supervisor or someone in the supervi=
sor's management chain and countersigned by an agent from =
the college's Accounting office. Martha, the Assistant Director of Internat=
ional Relations, returns from a business trip to Switzerland and files a tr=
avel reimbursement form attesting to $1,800 in expenses on the final day of=
the trip. The reimbursements system routes his last day's request to the D=
irector, who approves it in the system. The system then routes the approved=
request to the Accounting office, where it is checked by a member of the A=
ccounting office's travel reimbursements team. Only after the expense repor=
t is authorized by the Accounting office does the system issue a reimbursem=
ent check to Martha for the $1,800.(Multiple authorities identified pro=
grammatically by business roles participate in hierarchical workflow to app=
rove single privilege on single target resource for single subject with siz=
ing constraint)
- Housekeeping's Access to Services - The Housekeeping O=
ffice decides to do away with their legacy paper-based PTO (Paid Time Off) tracking system and begin using a=
n online PTO system managed by the central IT group on campus. The new syst=
em provides, among other features, a combined calendar view of staff time o=
ff, holidays, and major campus events (so that employees may make more info=
rmed decisions about vacation scheduling). The system accesses group inform=
ation derived from authoritative sources in HR and Payroll to associate ind=
ividuals with their departments, and grants access to department-limited vi=
ews of the combined calendar to all employees in each department. When Hous=
ekeeping begins using the online system, staff in the department are automa=
tically granted access to a Housekeeping view of the combined calendar, lis=
ting the schedules of employees in Housekeeping along with University-wide =
events and holidays. As new employees arrive in the department, they are au=
tomatically added to the appropriate departmental group and gain access to =
the departmental calendar in the PTO system.
- Enforcing Compliance Training - The University Complia=
nce Office requires that all employees in specific job categories identifie=
d as having potential interaction with sensitive financial information (suc=
h as employee bank routing information or staff payroll information) comple=
te an online training module on current procedures for securing sensitive i=
nformation and attest to their agreement to follow documented University re=
gulations. The system stores information in the institutional identity mana=
gement repository indicating the date when an employee last completed the o=
nline training module, and periodically sends notices to individuals whose =
training is more than one year out of date and who still work in covered jo=
b categories. The training system grants access to the module automatically=
to employees whose IdM data indicate that they meet the criteria for compl=
eting the instructional module. Other applications that traffic in sensitiv=
e financial information include the currency of employee's training when ma=
king authorization decisions.
- Trustee's Conflict of Interest - The Trustees share ac=
cess to a secure wiki site where information regarding major capital projec=
ts being undertaken by the University is housed and discussed. One member o=
f the board notices that in an upcoming meeting there will be a discussion =
of possible plans to sell some University land at auction to raise funding =
for a new building project. As a member of the local zoning commission, the=
Trustee must recuse himself from the discussion. The University secretary =
explicitly revokes the Trustee's access to the specific portion of the wiki=
related to the discussion of the real estate transaction in order to avoid=
any appearance of conflict.
- Terminating Access for a Disgruntled Employee - A Syst=
ems Administrator in the Computer Science department is terminated abruptly=
for egregious violation of University harassment regulations. When the emp=
loyee is terminated, University policy states that his access to core servi=
ces and systems must be terminated within 48 hours, and automated processes=
are in place to ensure compliance with that policy by removing the employe=
e's access to systems throughout the institution. The automatic processes a=
re triggered as overnight batch processes in order to avoid possible servic=
e interruptions during normal business hours. The Chair of the CS departmen=
t, however, has reason to believe that the terminated employee may intend t=
o do some mischief before his access is disabled, so to protect departmenta=
l systems, he contacts the IT Security Officer (ITSO) and requests an excep=
tional authorization change. The ITSO logs into a privileging system and, u=
sing rights granted to him by his functional role as ITSO, places an admini=
strative block on all privileges afforded to the terminated employee, and t=
riggers an immediate update of access rules on core systems and CS Departme=
ntal systems. Three hours later, the terminated employee attempts to log in=
to the CS department's mail server and delete his accuser's account, but is=
denied access due to the ITSO's manual override. Overnight, the nightly ba=
tch run removes the user's access rights in all systems, making the ITSO's =
manual override unnecessary. The next morning the ITSO removes his manual o=
verride from the system.
- Special Access for New Employee - A new software engin=
eer is hired by the Administrative Computing group. His addition to the sta=
ff automatically provisions him with an electronic identity and with access=
to some common productivity tools, etc., shared by all staff members. On h=
is first day at work, his manager logs into an access management interface =
and adds the new employee to a group constructed to identify programmers wo=
rking on a new Purchasing system. This automatically provisions with the ne=
w engineer with read access to the code repository for the Purchasing syste=
m, but does not automatically grant him write access to the repository. The=
first time the new engineer attempts to commit changes to the code reposit=
ory, a workflow is triggered which notifies the project manager overseeing =
the coding project. The project manager reviews the new engineer's credenti=
als and his attempted change, and determines that the new engineer should b=
e granted commit rights in the repository. Once the project manager authori=
zes his commit rights, the new engineer is able to modify code within the P=
urchasing system.
- Budget Approval Process - A University budgeting syste=
m implements an hierarchy-based policy for budgetary approvals, in which bu=
dgets for organizational subunits are submitted by their respective manager=
s and approved by their department heads, who in turn submit their combined=
budgets (along with their own offices' discretionary budgets) for approval=
to school or divisional managers, who in turn pass their combined budgets =
to senior administrators and ultimately to the CFO for approval. The scope =
of budget approval authority granted any given manager in the system is con=
trolled by the organizational unit the manager is charged with overseeing. =
The authority who must approve any given manager's budget is dictated by th=
e organizational hierarchy, which is represented in the system with hierarc=
hical groupings of subunits, departments, and divisions. In the event that =
a given approver is unavailable for any reason, any authority at a point cl=
oser to the top of the hierarchy may issue approvals in his or her stead. W=
hen the Director of Transportation is out on childcare leave during budget =
finalization, it falls to the Assistant VP of Auxiliaries to approve both t=
he Director's discretionary budget and the budgets of her =
subordinate managers for the Parking Office, the Campus Transit Authority, =
and the Traffic Control Office.
- Budget Approval for New Department - At that same Univ=
ersity, the budgeting system eventually encounters a new interdisciplinary =
program in Genomics that comprises faculty and staff from a number of diffe=
rent departments spanning multiple schools and colleges. The Program Direct=
or submits budget into the system, but since the program is not part of any=
officially recognized school or division, the Director's budget is routed =
all the way to the Provost for approval.
<=
br class=3D"atl-forced-newline">
- Employee RIF - An employee is separated from the insti=
tution due to a RIF (Reduction In Force)=
in her department. HR rules require that she retain access to the c=
ampus HR portal and to career development resources for 90 days following h=
er separation to facilitate her transition into a new position (whether int=
ernal or external). The campus access management system notices her separat=
ion and removes her from all active employee groups and roles, thus denying=
her access to most staff-accessible systems on campus. She is automaticall=
y granted specific access to the HR portal and the career center library sy=
stem for 90 days. At the end of the 90-day grace period, her rights in thos=
e two systems automatically expire.
- Inappropriate Purchase with Institutional Funds - An i=
ncident involving the possible misuse of a University purchasing card to ac=
quire an item of jewelry is being investigated by Internal Audit. The inves=
tigator requests a report from the purchasing system of when and by whom th=
e specific purchase was approved, and finds that the purchase was approved =
by an administrative assistant with authority to approve purchases only up =
to $500. The investigator then retrieves a report from the access managemen=
t system of all privileges previously assigned to the administrative assist=
ant, and finds that on the date the purchase was approved, the employee was=
granted approval rights up to $5,000 for a period of four hours. The inves=
tigator notes in the audit log that the assistant's manager - the Assistant=
Director of Finance - had granted those rights to her. After further inves=
tigation, it is determined that the Assistant Director had granted those ri=
ghts to her assistant in violation of University regulations, and had then =
directed her to approve the purchase in an attempt to avoid its being detec=
ted by the auditors. Both the Assistant Director and her assistant undergo =
disciplinary action as a result of the incident.
- Affiliation Transitioning - A staff member in the Acco=
unting office applies for admission to the graduate program in Mathematics =
and is accepted. Three months into her graduate program, she decides to vac=
ate her position in Accounting and become a full-time graduate student. Whe=
n she transitions out of her Accounting position, her access rights to the =
university ledger and other financial accounting systems are revoked automa=
tically, but as a continuing student, her university ID, her university ele=
ctronic identity, and her common services accounts (email, scheduling, coll=
aborative applications) remain active, as do her student services (access t=
o the campus LMS, access to the Bursar's bill tracking system, etc.).
Academic and Research Use Cases <=
/span>
While many of the use cases we find within business units at our institu=
tions may mirror similar cases in private industry, another collection of u=
se cases are more unique to the higher education sector. The academic use c=
ases exist only in educational contexts, but on thorough inspection, many o=
f them may bear strong resemblance to use cases in other sectors, including=
the business operations cases outlined above. Here's a sampling of use cas=
es found within research and pedagogy.
- Off-campus Colleague Access to Local Research Results - Professor Smith, of the Department of Pharmacology in the Medical School,=
is researching the chemistry of snake venom to determine whether certain c=
omponents of various snakes' venom may be useful in the management of chron=
ic pain. Professor Jones, in the Department of Genetics, has recently compl=
eted a mapping of the genome of one particular species of cobra, and after =
reading an article by Professor Smith on that cobra's venom, offers to shar=
e his research results with him. Professor Jones explicitly grants access t=
o his cobra genetics notes in the Genetics Faculty wiki to Professor Smith,=
who uses Professor Jones' research to further his analysis of the componen=
ts of the particular cobra's venom.
- Adding a Lab Assistant - A faculty member in the Depar=
tment of Physics arranges to have one of his better undergraduate students =
from the previous semester act as a lab assistant for his structural dynami=
cs class. He adds the "lab instructor" role for Physics 108 to the student'=
s profile in the learning management system (LMS) and the student automatic=
ally gains access to lab teaching materials and student lab reports for the=
course.
=
- TA Grade Access - A university uses its LMS to handle =
mid-term grade reporting - faculty enter grades for assignments and mid-ter=
m quizzes and exams in the LMS, where students can review them online and t=
rack their progress until the end of the term. The LMS automatically assign=
s grade entry privileges to instructors (as identified by the student regis=
tration system). Professor Gamow chooses to have one of his graduate studen=
ts act as TA for his EM Fields course and delegates his grade reporting pri=
vileges in the LMS to his student. The student is then able to report grade=
s for students in the EM Fields class within the LMS. When final grades are=
due, Professor Gamow reports them to the Registrar based on information pr=
eviously reported in the LMS.
- Resource Owners Managing Access Data - A university's =
central IT organization operates an authorization service used by all its c=
olleges and schools to manage access rights within a shared faculty managem=
ent application. Central IT staff find themselves spending increasing time =
entering role and permission changes on behalf of the schools. Central IT s=
taff use a delegation mechanism built into the authorization facility to gr=
ant administrative staff in each School direct access to authorization rule=
s for resources within their Schools, relieving them of workload and distri=
buting decision-making authority to resource owners.
- FERPA Information Restricted - Under federal regulatio=
ns, certain educational records information about studnets may be categoriz=
ed as "directory information" and may be disclosed by institutions without =
prior consent from students. Students reserve the right under FERPA, howeve=
r, to have disclosure of their directory information blocked upon request. =
An undergraduate Engineer becomes concerned that a high-school acquaintance=
may be stalking her, and wishes to have her contact information (name, add=
ress, email address, telephone number) blocked from view. The university co=
nsiders those data elements to be directory information under FERPA, and di=
scloses them by default. The student visits a FERPA portal system and marks=
those data elements as FERPA protected information in her records. Subsequ=
ently, applications that access student educational information and IdM dat=
a about students refuse to allow access to the student's contact informatio=
n except when the requester is identified as having an academic need to see=
the information.
- Course Registration Exceptions - A Biomedical Engineer=
ing (BME) student in her senior year signs up for Professor Jones' popular =
seminar on biomedical research ethics. As a BME upperclassman, the registra=
tion system allows her to sign up directly. Her roommate, a pre-med student=
majoring in Public Policy, attempts to sign up for the same course, but be=
cause of rules applied to the course in the registration system, the second=
student's registration for the course is suspended, and the system sends a=
n approval report to Professor Jones. Having spoken with the student before=
hand, the professor is prepared for the request, and authorizes it in the r=
egistration system. The pre-med student is enrolled in the class.
- Restricted-Blog Access - Professor Pilkey wants to gra=
nt access to a blog he maintains about his research into the effects of pol=
lution on shallow-water marine invertebrates to students in his Wetlands Ec=
ology course. The campus IdM system automatically places students in course=
-specific groups based on their enrollment in specific sections of specific=
courses. The blogging software supports LDAP-based groups, so Professor Pi=
lkey grants access to his blog to the members of the "ECO 212 Students" gro=
up.
- Course Deadline Extented - A student in Dr. Schonfeld'=
s Ordinary Differential Equations course is unable to attend the final exam=
due to an authorized absence (a death in her family). Professor Schonfeld =
has removed access in the LMS to her class notes for the prior semester's s=
tudents, since the semester is at an end, but she makes an exception for th=
e student at the request of the Dean, and grants her access to the course s=
pace in the LMS for an additional week in order to complete studying for th=
e make-up exam. One week later, the student's access is automatically remov=
ed by the system.
- Career Services - Career Counseling Services arranges =
to have an online course in effective interviewing techniques made availabl=
e to students who meet specific criteria - those who are expected to gradua=
te within one year and who are in degree-seeking programs (part-time and in=
ter-institutional students are excluded). The vendor providing the online c=
ourse materials requires that the center make a good faith effort to limit =
access to those students. The center arranges to grant access to any studen=
t whose expected date of graduation is less than one year in the future and=
whose identity information indicates she is a full-time student.
- Adding TA Access to Course Dropbox - In a shared files=
pace, a faculty member desires to grant read access to course materials to =
both his students and his TAs, write-only access to a dropbox or his studen=
ts, and read-only access to the dropbox for his TAs. The file server consum=
es group information from the identity management system to enable the facu=
lty member to grant read to the course materials for his students, but beca=
use only the faculty member knows the identity of his TAs, he manually adds=
the TAs one by one to an access whitelist for the shared filespace.
- Faculty Survey Access - A faculty member in Education =
working for the Provost's office on a multi-year effort to enhance undergra=
duate instruction is researching the effectiveness of different pedagogical=
strategies in the treaching of new foreign languages to non-language major=
s. He develops a survey which he wants instructors teaching introductory la=
nguage classes in all foreign language departments to respond to. He grants=
permission to access the survey to faculty members and graduates students =
identified as instructors in at least one section of a 0-level foreign lang=
uage course. The Registrar later grants him access to depersonalized grade =
information from 0-level foreign language classes to complete his research.=
- Approval of Faculty Promotions - A web-based faculty m=
anagement and promotion system needs to grant access to faculty CVs and eva=
luations in a way that reflects the institutional academic hierarchy. Profe=
ssor Jones is both an instructor in the department of Microbiology and the =
Chair of the department. As a department chair, Professor Jones has access =
both to his own CV and to the CVs and evaluations of all faculty within the=
department. Professor Johnson is the Dean of Basic Sciences, and teaching =
faculty in the Anatomy department. Because Microbiology is part of the Divi=
sion of Basic Sciences, Dean Johnson has access to professor Jones' CV and =
evaluation reports, as well as to all the CVs and evaluations of faculty in=
Microbiology and other departments within the division. She has access to =
her own CV as a faculty member, but not to the CVs of faculty in other part=
s of the School of Medicine. Dean Hillard is the Dean of Medicine, and has =
access to all faculty information in the School.
- Access to Course Resources - Professor Hausmann teache=
s four sections of Basic Anatomy in the Medical School, one of which is cro=
ss-listed in Comparative Biology and co-taught by Professor Biggs. In conju=
nction with an LMS system, the university provides shared filespace for ins=
tructors to use in their courses. By default, instructors are given one sha=
red directory for each course they teach and one subdirectory for each sect=
ion of each course. Professor Hausmann is granted full privileges in a top-=
level shared directory for his Basic Anatomy course (BA4401) and in subdire=
ctories for each of the four sections of the cours (BA4401S1 thru BA4401S4)=
. Students in each section are given read access to the BA4401 directory an=
d to their individual sectional subdirectories, but not to other sectional =
subdirectories. Professor Biggs is automatically granted full access to the=
BA4401S4 subdirectory, which is also referenced through a filesystem link =
as CBIO410S1. Students enrolled in the cross list have access to the one su=
bdirectory and the BA4401 super-directory.
- Requsisite Training for Lab Access - A new graduate st=
udent matriculates in Biochemistry and as a result is granted card access t=
o the Chemistry and Biology buildings and all departmental areas ex=
cept a Class 2 pathogen lab in the basement of the Biology buildin=
g. Access to that lab is contingent upon completion of a rigorous course in=
safe handling of Class 2 human pathogens and the operation of the labs saf=
ety equipment. The graduate student completes the course a week after matri=
culation and once the occupational health and safety office updates his IdM=
information to indicate that he is in compliance with the requirement, his=
card grants him access to the lab automatically. Six months later, his com=
pliance comes due for renewal, and he's notified that he must complete a re=
fresher course to continue his access to the lab. Having completed the only=
course involving use of the Class 2 lab he plans to take, he chooses not t=
o renew his certification, and as it lapses, his card access to the lab is =
revoked.
=
- Student Registration Glitch - Professor Stedman's Mark=
eting 304 course culminates in a final project which is to be submitted ele=
ctronically by each student no later than 5pm on the last day of class. A s=
tudent in the class fails to submit his final project on time and reports t=
hat he was denied access to the class dropbox when he attempted to submit h=
is assignment. The instructor is suspicious and retrieves audit logs from t=
he LMS which indicate that the student was indeed denied access to the drop=
box at 4:45 on the appointed day. Enlisting the assistance of his IT suppor=
t staff, Professor Stedman finds that the student was removed from the Mark=
eting 304 Student group that morning, and reinstated in the group the follo=
wing morning. Further investigation by the IT staff determines that a failu=
re in the university registration system had caused truncation of the stude=
nt list for Marketing 304 and caused the student in question to be errantly=
reported as not enrolled in the course for approximately 24 hours. In ligh=
t of these facts, Professor Stedman grants the student an extension and all=
ows the student to submit his final project for full credit.
- Colleague Submitting Grades for Another - Professor Jo=
nes in the School of Engineering is planning to attend an IEEE event in Swi=
tzerland and will be unavailable for three weeks at the end of the semester=
. She has arranged to have final grades for all of her students completed p=
rior to her departure, but due to restrictions set by the Registrar's grade=
reporting system, she can't enter the grades officially until after the se=
mester ends. She arranges for a colleague (Professor Wilson) to enter her g=
rades for her, and in order to enable this, transfers her rights with respe=
ct to her Signals course to her colleague, limiting the transfer to the spe=
cific range of dates during which she will be in Switzerland. When the time=
comes for grade reporting Professor Wilson is able to post Professor Jones=
' Signals grades on her behalf. Three weeks later, Professor Wilson acciden=
tally attempts to open Professor Jones' grade report for her Signals class =
and is denied access by the grading system, since Professor Jones' transfer=
of authority has expired.
- Pre-hire vs. Post-Hire Affiliation - Normal HR process=
es ensure that new employees and faculty are automatically provisioned with=
electronic identities and granted appropriate access to services based on =
their roles within the organization on the morning of their first official =
day at work. Dr. Zalib Bentha is the world's foremost authority on the lasi=
ng behavior of gallium-based solid-state lasers, and has just accepted a po=
sition in the Electrical and Computer Engineering department at the Univers=
ity. His effective date in the position is six months hence, but because of=
the importance of his hiring to the School of Engineering and his interest=
in beginning to build collaborations before his arrival, the Dean of the S=
chool makes an urgent request to have soon-to-be Professor Bentha provision=
ed for access to the University e-mail system and the School's collaborativ=
e wiki system. Staff in the electronic access management group follow a pre=
-defined procedure to enroll Dr. Bentha in the University identity manageme=
nt system as a special "pre-hire affiliate". He is automatically issued an =
electronic ID, but is not populated in any specific user groups. His pre-hi=
re status grants him automatic access to and provisioning for the Universit=
y email system, but does not give him access to departmental resources. As =
part of the pre-hire workflow, the Dean's office is notified when Dr. Benth=
a's identity is created, and staff in the Dean's office explicitly grant hi=
m access to the Engineering wiki system. Six months later, when Professor B=
entha begins his tenure at the school, the normal HR process adds him to va=
rious faculty groups and removes his pre-hire affiliate status and associat=
ed "special" privileges. The Professor arrives on his first day in the depa=
rtment and sees no interruption in his existing access to services.
- Delegated Directory Administration - Bill is one of th=
ree IT administrators in the Department of Chemistry within the College of =
Arts and Sciences. As part of his departmental duties, he manages both Wind=
ows-based desktops on faculty and graduate student desks and a cluster of W=
indows-based fileservers. His systems are all joined to an enterprise Activ=
e Directory domain which also incorporates user objects for all the univers=
ity affiliates in the enterprise identity management system. Due to disk sp=
ace exhaustion, Bill needs to relocate the home directories of roughly half=
of his faculty from their current fileserver to a new fileserver. He migra=
tes the relevant data, and then needs to update attribute information in th=
e enterprise AD regarding the path to his faculty members' home directories=
. His status as an IT admin in the department confers on him the ability to=
update the homeDirectory and homeDrive attributes for users in his departm=
ental OU within the central AD, and he successfully updates his faculty mem=
bers' information using standard Microsoft tools. Later, when Bill mistaken=
ly attempts to update one of his faculty member's msExchgHomeServerName val=
ues, he is prevented from saving the change, since his rights as an IT admi=
nistrator in the department do not extend to overriding the campus IDM syst=
ems' selection of an Exchange home server for his users. Still later, while=
Bill is vacationing in the Swiss Alps, his departmental fileserver is dest=
royed in a machine room mishap, and the faculty whose home directories were=
moved must be restored from tape to yet another server. In Bill's absence,=
Patrick, who works for the College's IT administration, is able to use his=
college-wide privileges as an IT admin to update the same homeDirectory an=
d homeDrive attributes for Bill's faculty. When, upon his return from Switz=
erland, Bill takes a position as a departmental support manager in another =
department, his privileges regarding Chemistry faculty attributes are autom=
atically revoked.
Residential Life Use Cases =
span>
Many of the challenges we encounter in both identity management and acce=
ss management inside higher ed grow out of the interplay between the differ=
ent (and sometimes conflicting) relationships our constituents may have wit=
h our organizations. Students can also be employees; faculty may also be te=
nants. One place where these kinds of issues often arise is in the Office o=
f Residential Life. Here are some exemplary use cases:
- Special Access by Student Employees - The Undergraduat=
e Housing office employs a small number of work-study students each semeste=
r as aides during the undergraduate housing lottery. Their job is to enter =
information from paper forms submitted during the lottery process by other =
students into the online room assignment system. Under normal circumstances=
, first-year students are blocked from accessing the online room assignment=
system until the second week of the housing lottery in order to give upper=
classmen priority for housing selection. Gina is a first-year work study st=
udent hired to work during the housing lottery in the Spring semester. A pr=
ivileging system detects that while she is a first-year student, she has be=
en designated a Housing employee for the three weeks of the lottery, and gr=
ants her early access to the room assignment application. Her supervisor ta=
kes responsibility for ensuring that she does not abuse her privileges to a=
ssign herself a room before it is appropriate for her to do so.
- Dorm Access for Residential Advisers - For reasons of =
safety and security, access to student housing on the main campus of the un=
iversity is tightly controlled. Dormitory doors are magnetically locked and=
protected with ID card readers wired to the university's "UniCard" system.=
Between 8am and 10pm daily, all student ID cards will open all exterior do=
rmitory doors, but between 10pm and 8am, access is restricted to those stud=
ents living in each dorm. Residential Advisers (RAs) constitute a special c=
ase, in that they require 24x7 access to multiple dorms within the resident=
ial quad in which they reside. When John encounters a family crisis and dec=
ides to take a mid-semester leave of absence, Residential Life arranges to =
make Richard the RA for the North Campus quad. Res Life staff identify Rich=
ard as an RA in their housing system, and based on information in the housi=
ng system regarding the location of his room on campus, a privileging syste=
m grants Richard 24x7 access not only to his own dormitory but also to the =
five other dormitories in his quad. When the Registrar places John on leave=
of absence in the registration system, the privileging system recognizes t=
hat his special access is no longer valid, and revokes his RA privileges.=
li>
Library Use Cases
One of the abiding features of higher ed organizations is our dependence=
upon and close collaboration with librarians. Libraries introduce a number=
of somewhat unique use cases for access management - they, perhaps more th=
an any other groups with whom we interact - are sensitive not only to secur=
ity but also to privacy. While their details can be quite unique, some of t=
he basic features of library use cases may be similar to those from other a=
reas of interest. Here are some demonstrative use cases from the library en=
vironment:
- Temporary Privileges for External Patrons - Jake is an=
art historian living in town and working for a local art dealer, where he =
authenticates 18th century paintings for the dealership. The University lib=
rary happens to have in its rare book holdings the most authoritative refer=
ence (written in the 1880's) on the works of an obscure Viennese artist of =
the mid 1750's, one of whose better-known works is being offered at auction=
. Jake suspects that the painting may be a forgery, but needs to verify som=
e facts in the authoritative reference. He contacts the University library,=
and finds that while the library is pleased to offer on-site access to its=
public stacks to causal patrons, access to the library's rare book room is=
more constrained. Jake visits the library's reference desk and is issued a=
temporary patron card. The reference librarian adds the patron ID associat=
ed with the card to a rare book reader group through her desktop client. Ja=
ke uses the card to access the rare book stacks, and is able to find that i=
n fact the painting is authentic. When he returns his temporary patron card=
to the reference desk later in the day, the reference librarian revokes th=
at patron ID's rare book access privileges.
- Professional Organizations and Federations - A librari=
an at the college's main library agrees to proctor a survey on behalf of th=
e American Library Association (ALA) of higher ed librarians. The survey se=
eks to gather information about successful and unsuccessful strategies for =
managing electronic periodical subscriptions. The survey is intended to tar=
get a specific audience - librarians within higher ed who are themselves me=
mbers of the ALA. Membership in the ALA can only be authoritatively asserte=
d by the ALA itself, while affiliation with colleges and universities can o=
nly be authoritatively asserted by those colleges and universities. Fortuna=
tely, the ALA is party to an identity federation in which hundreds of highe=
r ed institutions participate. The ALA sets up a web-based survey applicati=
on using federated SSO services that allows librarians working at instituti=
ons within the federation to authenticate through their "home" organization=
s and gain access to the web application. The web application subsequently =
determines whether to grant them access to the survey itself based on the s=
tatus of their membership in the ALA (as determined by direct inspection of=
the ALA's membership roster).
- Anonymized Access to Resources - Another librarian at =
the same institution is establishing a new collection of electronic documen=
ts pertaining to recently declassified information about the US response to=
terrorism during the late 20th century. The artifacts in the collection ar=
e to be made available for online interlibrary access to faculty and gradua=
te students at colleges in the tri-state area surrounding the university. A=
lthough the material is declassified, there is significant concern about th=
e privacy of individuals who may wish to access it. The university particip=
ates in an identity federation that encompasses the tri-state area. The lib=
rarian arranges to have access to the new electronic collection protected b=
y a federated identity system that allows patrons to authenticate at their =
"home" institutions within the federation and access materials at the unive=
rsity. He arranges to request only the necessary informati=
on about patrons from their home institutions - scoped affiliation informat=
ion sufficient to distinguish between students and faculty at participating=
institutions and other individuals, but not sufficient to identify the ind=
ividuals uniquely, thus protecting the anonymity of users without allowing =
unauthorized access to the collection.
Medical Center Use Cases
University medical centers and hospitals bring a number of unique use ca=
ses into the picture, in part due to the the constraints imposed by HIPAA, =
and in part due to the unique interaction between medical researchers and m=
edical practitioners that can arise in academic medical settings. Even thou=
gh the constraints my be different, many of these use cases bear striking r=
esemblance, at their heart, to non-medical use cases outlined above. Below =
are a few use cases from the medical environment for comparison:
- Chart Access by Consulting Physician - Hospital rules =
interpret HIPAA privacy regulations to dictate that only those medical staf=
f and faculty directly involved in the care of an individual patient should=
have access to view that patient's medical records during treatment. Facul=
ty in the medical school may have access to depersonalized medical data for=
purposes of research and instruction, but may only view personally identif=
iable medical information if referred a patient by an attending physician. =
An attending physician in the ER is treating a patient with symptoms of Wes=
t Nile viral infection, and needs a consultation from an Infectious Disease=
specialist in the Medical School. The attending instigates a consultation =
and referral process which grants the ID specialist temporary access to vie=
w the patient's medical records. Once the consultation is complete, the ID =
specialist's access is revoked automatically.
- Nurse Changing Departments - Patient care needs requir=
e that all nurses working in Orthopedics have access to Ortho patients' med=
ical records. When Nurse Mills moves from the day shift in Physical Therapy=
to the night shift in Orthopedics, a nursing supervisor adds the "Ortho Nu=
rse" role to her profile in the medical records system, granting her approp=
riate access for her new role. The shift supervisor in PT likewise removes =
the "PT Nurse" role from her profile, removing any rights she was granted d=
uring her time on the day shift. When Mr. M. is admitted to Orthopedics aft=
er presenting in the ER with a fractured pelvis, his admission to Orthopedi=
cs automatically grants Nurse Mills access to his medical records.
- Drug Restocking Approval - Nurse Wilson notices during=
a routine inventory review that the Oncology ward's drug cabinet is runnin=
g low on a particular anti-emetic drug. The anti-emetic is a scheduled subs=
tance, so her request to the Pharmacy for restocking requires approval by b=
oth her supervisor and an attending physician in Oncology. The Pharmacy sys=
tem detects the approval requirement and routes the request to the head Onc=
ology nurse, then to the on-call Oncologist for approval before filling the=
order.
<=
/li>
- New Nurse Access/OnBoarding - Sarah is in the process =
of being onboarded as a new nurse in the Emergency department when a major =
industrial accident is reported in the area. Since the university medical c=
enter is the main trauma center for the region, an "all hands" call is plac=
ed for emergency medical staff to handle the expected increase in patient v=
olume. The new nurse is on-site and prepared to provide support, but the un=
iversity privileging system has not yet activated her access to hospital re=
cords and pharmacy systems, pending a scheduled overnight batch process. Th=
e head nurse on duty in ER logs into the privileging system and explicitly =
grants temporary access to both systems to Sarah, overriding the normal sys=
tem workflow. Later, when the batch process executes, additional privileges=
are afforded to the new nurse in keeping with her position, and the head n=
urse's override is removed.
Guests and other Non-Traditional Aff=
iliates Use Cases
Some use cases may cross multiple areas of interest. One very common gro=
up of situations involves the need to grant access to some organizational r=
esource to guest users or to non-traditional affiliates. Note the similarit=
y to some of the "embedded" use cases in the groupings above:
- Temporary Network Access for Guests - A university off=
ers wireless access to all its official affiliates through a web-based regi=
stration system that requires authentication against the institutional SSO =
system. A number of non-traditional affiliates and guests, however, need to=
be granted access to the wireless network during their stays on campus, bu=
t since they are not tracked by the central university identity management =
system, they cannot use the wireless registration mechanism. A separate app=
lication is devised that allows specific individuals within recognized "gat=
eway" units on campus (the Library, the International House, the Faculty Cl=
ub, and the Office of Residential Life) to authorize guests for special gue=
st access to the wireless network. These individuals act as registrars for =
the guests they authorize, registering them in a guest access system. The w=
eb interface allows registrars to review, add and remove guests from their =
lists of "approved" guest network users. The guests then have access to an =
alternative web interface that allows them to register their wireless devic=
es for access via the guest wireless network.
- Temporary Accreditation Committee Access - An institut=
ional curriculum committee is convened every five years by the Provost to r=
eview the curricula of the disparate Schools and make adjustments to align =
curricula with changes in institutional focus and/or new pedagogical goals =
and strategies. The committee meets in camera twice monthly for a 12 month =
term each time it is convened. Only the committee's final report is made pu=
blic - minutes of its sessions and communications between the committee mem=
bers are made available only to members of the committee, the Provost, and =
the Chancellor through a secure wiki. Every ten years, an external accredit=
ation committee visits campus to conduct a review for the university's reac=
creditation, and as part of its effort requires access to the minutes of th=
e curriculum committee's meetings. The accreditation committee comprises fa=
culty and administrators from a number of peer institutions, none of whom a=
re affiliated with the university in other ways. Accreditation committee me=
mbers are granted "ex officio" identities which are then granted access to =
the curriculum committee's meeting minutes in the secure wiki. The ex offic=
io identities are revoked once the accreditation committee's final report i=
s delivered.
------=_Part_6124_1153214926.1711622120911--