Novell® Identity ManagerIt’s Not Just about Identity Management Anymore!
Steve WhickerManager – Security ComplianceAHIS – Central RegionSt Vincent [email protected]
Sarah HetrickSr Technical EngineerAHIS – Central RegionSt Vincent [email protected]
© Novell, Inc. All rights reserved.2
Identity Management Goalsat St. Vincent Health• Enable regulatory compliance (HIPAA) and internal controls
in IS security processes • Reduce operating costs through user account provisioning
(process automation) and sharing common infrastructure components
• Decrease corporate exposure by reducing the risk of unauthorized access to data & automating enforcement of security policy
• Improve associate satisfaction by automating online HR benefits management
• Improve data integrity by decreasing duplicative identity data stores and manual data entry processes
• Improve the quality of services provided by IS
© Novell, Inc. All rights reserved.3
• HIPAA• Unique user identification requirements
• Access Control Requirements
• Auditing Requirements
• Minimum Necessary Requirements
• Enterprise Role-based Access Control (RBAC) model
• Auditing / Reporting
• Automate Manual Security Policies
• Automate Identity Management (Create, Modify, Delete)
• Automate Roles Based Access Control
• Automate Workflow Approval, Denial
Regulatory Compliance Security
• Reduce Manual Admin via automated account provisioning
• Manage online HR Benefits
• Set up Foundation for Expanded Services
• Improve Data Accuracy
• Leverage Current Investments
• Provide Password Reset Self Service
Efficiency / Cost
St. Vincent Health’s Identity Management Drivers
© Novell, Inc. All rights reserved.4
Where We Started (July 2005)
• Four separate networks (Indianapolis, Frankfort, Anderson, Kokomo)
• Two separate and overlapping access request processes for identity and access management (ID Request & IS Request), made it difficult to centrally manage the access request and change logs
• Identity creation and management was a manual process
• No centralized process to document request completion
• No formal validation process to verify the authenticity of requesting manager
• Multiple touch points (Network Administrator and Application support personnel) for creation of Login ID for an individual user
• De-provisioning process was not consistently followed
• No user entitlement matrix existed
© Novell, Inc. All rights reserved.5
Our Identity Management Roadmap
Governance, Organizational Change Management and Communication
Enha
nced
Pr
ovis
ioni
ng
Des
ign
and
Impl
emen
tatio
n
Dire
ctor
y In
fras
truc
ture
R
eadi
ness
Rol
e B
ased
Pr
ovis
ioni
ng D
esig
n an
d Im
plem
enta
tion
Bus
ines
s an
d O
ngoi
ng
Supp
ort
Implement Universal Password
Upgrade Existing Drivers to IdM2
Enable Bi-Directional
Creates Upgrade NT
Domains to AD
Identify Audit Needs
Design Auditing and
Reporting
Role Definition and Mapping
Audit Logging ( enable real time logging with appropriate systems)
Implement Audit
Provision users to additional systems
Implement Role based access and
provisioning
Document Identity Management Requirements
Document Web based Provisioning
Workflow Requirements
Enhance Existing Connectors and
Implement
Implement PeopleSoft Connector Implement Web
Based Provisioning
Workflow
Implement Password Self
Service
Consolidate File Services Trees
Design Enhanced Identity Management
Design Web based Provisioning Workflow
Audi
ting
and
Rep
ortin
g
Skill Assessment
Process Analysis and
Design
Skills Development and Training
Ongoing Maintenance and Support
Design Role based
provisioning
Document Role based provisioning requirements
© Novell, Inc. All rights reserved.6
Identity and RequestManagement Portal
IDVIdentity Management Portal
IND1
STVLDAP
National AD / Exchange STVNET
Vistar
STVI Windows
Windows
Windows
Windows
Biztalk DataWarehouse
Windows
© Novell, Inc. All rights reserved.7
Process perfomed for each application requested
Non
-Sys
tem
Pro
cess
esP
eopl
eSof
tH
RM
SW
orkf
low
Pro
cess
eseD
irect
ory™
(ID
V)
eDire
ctor
y(S
TVI &
SV
HLD
AP
)
Act
ive
Dire
ctor
y(IN
D1)
Act
ive
Dire
ctor
y(S
TVN
ET)
Oth
er A
pplic
atio
ns
1. HR/manager is notifiedof new hire (associate/
non-associate)
Start 1
2. HR/manager entershire data into PS(associate / non-
associate)
3. All required attributedAre available and
PeopleSoft effectivedate has transpired
4. Is this anew Identity?
5a. Identity Managerdetermine unique
Login ID
6. Identity Managercreates and places
the Identity
13. Identity Managergenerates workflow &email notify for defaultapplications per rules
11. Identity Manageremails manager of
new hire
14. WFapproved byapprover?
15b. Applicationsupport checks queue
16. Application supportdetermines access rights
17. Application supportcreates Identity and
access rights
7. PeopleSoft isupdated with LoginID & email address
8b. Identity Managercreates Identity in
SVHLDAP
8a. Identity Managercreates Identity in
STVI
9. Identity Managercreates Identity IND1
10. Identity Managercreates Identity STVNET
5b. Go toModify UsersProcess Box
#4
12. Go toModify UsersProcess Box
#10b
20. User and Managerreceives notification that
application has been granted
19. Workflowgenerates email
notifications
18. Applicationsupport approves
WF
15a. Create newuser account automatically
NoYes
Yes for nonconnected
system
Yes for connected system
Yes
Managerrequests
additional Apps via WF
Hiring Process
© Novell, Inc. All rights reserved.8
Non
-Sys
tem
Pro
cess
esP
eopl
eSof
tH
RM
SW
orkf
low
Pro
cess
eseD
irect
ory™
(ID
V)
eDire
ctor
y(S
TVI &
SV
HLD
AP
)
Act
ive
Dire
ctor
y(IN
D1)
Act
ive
Dire
ctor
y(S
TVN
ET)
Oth
er A
pplic
atio
ns
1. Manager is notified of a termination event for
associate or nonassociate
Start 1
2. Data is entered intoPeopleSoft HRMS
3. IDM Updates User data inIDV. disables account & moves
user to the inactive container
4a. Is this an ano show hire?
15. Managerreceives notification
13. Application support adminsdisable/delete user manually
in other application(s)
1b. HR Service Center isnotified of termination
event for associate or nonassociate
Start 2
1c. Termination is initiatedthrough VISTAR feed
Start 3
4b. Routes terminationWF request to all app
security admin(s)
5. Server team is email notified that theuser never showed up for work, research isdone, accounts may be deleted manually,
instead of just disable automatically
11. All application support admin(s)are notified via email of a terminationworkflow task to be completed afterthey disable or delete the account
14. Workflow generatesemail notifications
13.Application Support
Approves WF
6. IDM Updates User data inSTVI. disables account & moves
user to the inactive container
7. IDM disables Groupwiseuser and sets visibility
to note
10. IDM deletes useraccount in SVHLDAP
8. IDM Updates User data inIND1. disables account & moves
user to the inactive container
9. IDM deletes useraccount in STVNET
Yes
Termination Process
© Novell, Inc. All rights reserved.9
Other Processes Handled
• Renames (Name Changes)
• Business Unit Changes
• User Data Changes
© Novell, Inc. All rights reserved.10
Automated Escalation Process Insures Customer Request Are Not Lost
ApplicationOwner
Escalate toOwner's Mgr
2nd Escalation toOwner's Mgr
1d2d Denied
3d4d Denied
5d6d Denied
Start
Finished
Time Out
Time Out
Time Out
Log for alldenied activitiesIDM
Entitlementis granted
Could takeup to 6 days
Initiated by Manager toGrant application for End User
* indicatescompletion
of work
Approved *
Approved * Approved *
© Novell, Inc. All rights reserved.11
Service Request Management
• Replaced existing Information Services Request (ISR) System
• Provides three different workflow processes– Catalog Equipment Order– Equipment Moves & Removals– Professional Services (Including Projects)
• Utilized management hierarchy to route approvals• Ties Identity and Request Management (IDRM) to
the ticketing system – Currently a manual connection– Future connection will be automated using SOAP
© Novell, Inc. All rights reserved.12
Professional Services Workflow
PSP Request Initiated
Manager Approval
IS Tuesday / ThursdayGroup Reviews Request
Project?
E-mail to Services Deskwith request information
for ticket creation
RequiresAssessment?
Assign toAppropriate team
Assign team forevaluation
Request discussed withRequested Approving
Manager
Manager OKwith Cost?
RequestTerminated
Start ProjectWorkflow Process
FinishTicket number is
entered into IDRMRequest and closed
E-mail to requesterwith status andTicket Number
© Novell, Inc. All rights reserved.13
Self-Service Password Reset
• Provides user the ability to reset their own password anytime any place
– At work
– At home on portals
• Reduces Helpdesk calls
• Provides for positive validation of user identity through “Challenge and Response” Questions
• Easily integrates with current systems
© Novell, Inc. All rights reserved.14
Lessons Learned
• Know and thoroughly document your environment• Assume nothing
(verify things actually work as advertised)
• Understand the organizations business processes– Talk to the users and understand yours and their
business processes
• Cooperation and involvement of Human Resources is vital
• Have a viable test environment• Be prepared for problems
© Novell, Inc. All rights reserved.15
What’s Next?
• Install the Roles and Provisioning Module
– Upgraded version of the User Application
• Role Based Provisioning Design and Implementation
Demonstration
Questions?
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.