Identity management system

From Syscore

Contents 1 What is it? 1.1 Structure And Interconnections 1.2 Affiliations 1.2.1 Common Affiliations 1.2.1.1 Student 1.2.1.2 Graduate Student 1.2.1.3 Faculty 1.2.1.4 Staff 1.2.1.5 Student Employee 1.2.1.6 Instructor 1.2.1.7 Alumni 1.2.1.8 Visitor 1.2.1.9 Account Holder 1.2.2 Other Affiliations 2 IDMS Interface 2.1 Searching for an Identity 2.2 Affilliating an Identity 2.2.1 Do we know this person? 2.2.2 (Re)Affiliating an Existing Individual 2.2.2.1 What happens 2.2.2.2 Step 1: Find the Person 2.2.2.3 Step 2: Choose the person 2.2.2.4 Step 3: Choose an affiliation 2.2.2.5 Step 4: Choose a timeframe 2.2.2.6 Step 5: Submit your change 2.2.2.7 Variation: Revoking an affiliation 2.2.3 Adding an Individual 2.2.3.1 Step 1: Enter a name 2.2.3.2 Step 2: Check for existing matches 2.2.3.3 Step 3: The Social Security Number 2.2.3.4 Step 4: SSN Conflict? 2.2.3.5 Step 5: Choose an Affiliation 2.2.3.6 Step 6: Verify 2.2.3.7 Step 6: Complete

What is it?

The UMBC Identity Management System (IDMS) consists of a registry of identities from various core business systems such as HR and SIS, and others that may not be represented by these two data sources. The IDMS attempts to resolve, using certain identifying information, records that exist in these systems which may point to a single individual. From there, it is responsible for feeding other consumer systems which require the identity information for operation. Some of these systems include the Campus Card system, the account management system, Blackboard, and the physical access control system.

Structure And Interconnections

Click on the link for a full-size PDF.

Affiliations

An individual can be associated with UMBC in any number of ways. We refer to these as affilations. The IDMS learns of an individual's potential affiliations through data elements in a core business system, or, having the affiliation asserted by various personel who are authorized to do so. Individuals with the administrative rights to assert an affiliation for an identity also have the privileges to add an entry to the IDMS with that particular affiliation for an indvidual who may not be registered yet. The presense of a particular affiliation may drive other processes, such as enabling the individual to obtain and keep MyUMBC e-mail and file storage, or show up in the LIMS system as being an authorized library patron.

Common Affiliations

For more details regarding affiliations, see here.

Student

The student affiliation is asserted on an individual when he or she is authorized by the registrar to register, or is registered, for classes in this or an upcoming semester.

Graduate Student

Similar to student, this is asserted when someone is authorized to register or is registered for graduate courses.

Faculty

This affiliation affirms that this individual is listed as a current faculty member in the UMBC Human Resources database. In addition, authorized individuals, such as the campus card office and the OIT Helpdesk can assert the faculty affiliation on new-hire faculty with appropriate documentation that have not appeared in the HR database yet. Faculty also implies the affiliation employee.

Staff

Similar to faculty, this affiliation is asserted for those individuals that show up in the UMBC HR database as staff. Like faculty, the helpdesk and campus card office can assert this affiliation for new-hire staff to kick-start their card & account generation process before they show up in the HR database. Also, like faculty, it also implies employee.

Student Employee

This affiliation is asserted for student employees as determined by the UMBC HR database. (note, this does NOT get asserted for _real_ staff who are also students. Meaning, someone on a Contingent contract or such is "real" staff, even if they are also a student. This does *not* imply employee.

Instructor

This affiliation is asserted for an individual who is shown in the UMBC SIS system as being listed as an instructor during the current semester. This implies employee.

Alumni

This affiliation is asserted when the UMBC SIS system lists an individual as obtaining a degree from the university.

Visitor

Authorized individuals are allowed to assert this affiliation so that an individual may receive a UMBC Vistor ID card. This should be used for those that must obtain a UMBC Photo ID for door access or other purposes, but do not require any other UMBC services.

Account Holder

Authorized individuals are allowed to assert this affiliation so that an individual may recieve MyUMBC email or file space. This is used for various purposes; typically it is used to extend account priviliages on a temporary basis. (note, one should never assert account holder on an individual who is in another affiliate group which should receive account privileges as a whole -- arrangements should be made to extend the account privileges to the affiliation)

Other Affiliations

UMBC has many "affiliate" programs (too many to count at times) such as summer programs, non-credit training, etc. Some of these affiliates are entitled to various UMBC services, such as a Campus Card, or MyUMBC email and file storage. In an effort to bring some of the processes involved in managing these affiliates and their privileges under control, OIT has commited to tracking these various programs in the UMBC IDMS as part of the business process changes that were made as part of the Campus Card upgrade project in the Summer of 2006.

Any individual that receives a Campus Card, or a MyUMBC account, must be listed in the Identity Management system with an affiliation which is authorized to receive such services. OIT can add such affiliations to the IDMS, and delegate the assertion of these affilaitions to authorized personel upon request.

IDMS Interface

The IDMS is accessed directly via WebAdmin (https://webadmin.umbc.edu/), a web application which provides both self-service and administrative functionality.

Searching for an Identity

To see if an individual is listed in the IDMS, use the Identity Lookup function in WebAdmin. You can search the database by an individual's Primary Account Name, CampusID, SSN, or full name. Some individuals also have the privilege to search by other identifiers, such as the LIMS ID or the Magstripe ID. After entering your search term(s), a number of matches will be returned. Clicking on the _view_ link the the left of the entry, or the entry itself, will bring up a window displaying further information on the individual. The small (?) links next to each piece of information will display more information on that data element.

Affilliating an Identity

Do we know this person?

If the individual you are affiliating already has a MyUMBC account, or, has been issued a UMBC CampusID, then they are already in the IDMS. If this is the case, continue on. Otherwise, skip to the section below titled "Adding an Identity".

(Re)Affiliating an Existing Individual

Editing an existing identity is done through the WebAdmin [Edit Affiliation] interface.

What happens

Affiliation changes on an individual can cause other side effects, such as the revoking of priviliges that have been conferred on an indivdual because of their affilaition. Many of these are not immediate -- for example, the account aging process contains grace periods that must pass before an account is actually deactivated. Adding an affiliation, such as one that confers on someone the right to have an account, will cause their account to become active again, or in the case of an account that has been de-provisioned, authorize the individual to re-provision it.

Step 1: Find the Person

Search the IDMS for the individual you are looking for. This is done through the familiar search interface. Enter one of the identifiers that you know (such as the CampusID, account name, or first and last name) and clicking submit.

Step 2: Choose the person

Choose the person to edit by clicking on their name. If you need to further review their information, click on the (view) link to the left of their name.

Step 3: Choose an affiliation

Choose the affilaition to apply to the individual from the drop-down on the left. Your choices will look different than those displayed on the screen shot, as you will only see those affiliations you are authorized to assert.

Step 4: Choose a timeframe

Choose a timeframe for the affiliation to be valid from the drop-down on the right.

Step 5: Submit your change

Click "Submit Change" to save your change.

Variation: Revoking an affiliation

For the affiliations you can assert, you also have the authorization to remove. To do so, follow the editing process above, but at Step 4 choose "[remove]" as the timeframe.

Adding an Individual

If the individual you are interested in is not yet in the UMBC IDMS, you can use the WebAdmin Add Person interface to create their record.

Step 1: Enter a name

Enter the first and last name of the individual you wish to add.

Step 2: Check for existing matches

If the name you have entered matches entries that are currently on record, these entries will be displayed. If you need more information on an individual, click the 'view' link to the left of their name. If you do find an entry that matches the individual you were trying to add, click on their name and you'll be taken to an intermediate screen. To edit this person's existing affiliation record, click on "Edit Existing Record" and you will be taken to "Step 3" from above to add your affiliation to the existing individual. If none of these individuals on record match the one you are trying ot add, click 'Continue'.

Step 3: The Social Security Number

While we have tried to remove the SSN from many of our internal processes, it still exists as one of the only data elements that can reliably match records between all three of the IDMS, SIS, and Human Resource systems. If the individual you are entering into the system is an employee or someone that is expected to have a tight relationship with the university (such as becoming an enrolled student) it is helpful to enter their Social Security Number at this time. If you have the individual's SSN, enter it choose "Continue". Otherwise, choose "DO NOT HAVE SSN". It is not a requirement to enter an SSN into the IDMS, however, it can be helpful. Do not enter a fake SSN into the IDMS, such as those that are sometimes created for non-US applicants or students that have not been issued SSNs by the Social Security Administration.

Step 4: SSN Conflict?

If the SSN you entered (if you entered one) on the step above conflicted with one that is already on record, you'll be taken to a screen that describes options on how to continue. You can either

• Correct the SSN if you had entered it incorrectly.
• Continue by editing the affiliation of the record that matched the SSN you entered.
• Report a potential conflict to the administrators, and continue entering this individual without an SSN.

Step 5: Choose an Affiliation

Choose an affiliation from the menu presented that you wish to assert on this new individual, and choose the timeframe you wish this affiliation to be active. When you are done, hit 'Continue'.

Step 6: Verify

Verify the information you have entered is correct. Be careful to make sure the first name is the first name, and last is the last. It's easy to make mistakes :) If you have made a mistake, click "Correct Errors" and you will be taken through the input screens again. If you are sure the information you've entered is correct, click "Continue."

Step 6: Complete

Your identity has been added. Note the CampusID and temporary password that has been generated. If the individual is authorized for a MyUMBC account, the temporary password printed can be used for them to authenticate to the account creation system.