Case Study: Identity Management in Higher Education
- Location: USA
- Recognition: U.S. News & World Report's top public universities, globally recognized as Premiere Research University
- Population: 15,000+ students, local and remote faculty/staff, research partners (academic and corporate)
- Number of Users: Site license (750,000 users)
- Target Applications: dozens of target directories and applications (multiple authoritative sources) including Banner and Oracle-PeopleSoft
PRIMARY MARKET DRIVER(S)
- Improve service levels to students and departments
- This university has many IT organizations within academic, research or administrative departments, in addition to the central IT organization. Student and Staff identity information is independently maintained across these IT organizations without synchronization or orchestration between the IT departments. Specifically, there was no simple method to grant or remove access as central or departmental identity information changed, nor methods available to tie each user to accounts across IT departments and to quickly audit “who could access each account.” Problems included:
- high costs to manage user information
- loss of productivity due to provisioning delays
- user frustration due to inconsistent access to computing resources
The university’s project objectives were to:
- improve cost effectiveness and security using centralized identity management tools with both identity policies and service administration that can be delegated to each department
- improve user access to resources and security by ensuring that each department’s directories and applications have the most current identity information available
- allow each department to continue to have complete control over maintaining their identity data and controlling authorizations
- The central IT organization implemented Fischer Provisioning to create an enterprise directory (ED) for both central and departmental enterprise directory data. ED was put in place to provide consistent data to departmental and central functional and identity applications. It includes a Fedora directory containing attributes for all accounts and their owners – students, employees, alumni, guests, applicants, etc. IT departments may choose to utilize this centralized service as their identity store to drive their own departmental account creation and modification activities.
- Specifically, events triggered by authoritative sources (e.g., Banner and PeopleSoft) and directory changes made by central or departmental applications are detected in real-time by Fischer Provisioning. Fischer automates each department’s provisioning policies for creating and updating departmental affiliations as well as updating the master directory, independently of where the actual accounts reside.
- Fischer Provisioning processes up to 100,000 provisioning transactions daily and manages over 1.4M objects in the ED.
- Achieved intended business results while minimizing administrative effort/costs (workflow flexibility): For example, at the end of a term, a single workflow is triggered to revoke badge access to lab and classroom doors, yet allows students to continue to access to their dorm, libraries, and other facilities for extended periods.
- Inter-departmental synergies for productivity, risk mitigation, cost reduction, increased service levels, and improved transparency, all without compromising departmental IT business processes or autonomy.
- Facilitates collaboration between research communities, and enhances the university’s learning environment by improving access to the university’s scientific and technological knowledge base
WHY FISCHER WAS SELECTED
- Evaluation period: 1.5 years
- Participants: Multiple vendors were initially evaluated. Fischer and three other vendors performed POCs.
- Determining factors that led to Fischer's selection were:
- Productivity of IAM personnel when tackling challenging problems: e.g., ability to model complex business processes without undue programming contortions.
- Controlled Roll-Out: modularity of IAM system including separation of data sources, authorizing rules, provisioning, and directory services functionality was especially important.
- Ability for a single workflow to resolve events from multiple authoritative sources and dynamically determine precedence.
- Ease and speed of propagating changes throughout the directory.
- Delegated Administration: ability to eventually put the IAM tools directly in the hands of IT departments.
- Holistic Design: all capabilities, e.g., LDAP, RDBMS, SSH, Logic, invokable throughout product, not just in select areas.
- Vendor Integrity: no-nonsense communication about product capabilities, commitment to enhance per university’s requirements.
- Pricing: Straight-forward pricing model.
- “Relative to other vendors, Fischer was much more ready to address the university’s needs and the resulting productivity was immeasurably higher.”
- “With Fischer, a rather complex problem can be addressed with a fairly straight-line approach."
- “We're offering Identity Management services in a very unique, hosted way. Only Fischer could tackle our problem as we needed in its customer-usable, standard, and productized form.”