Table of Contents
Overview
The UH Identity Management System (UHIMS) aggregates identity and contact information as well as roles and affiliations for each member of the UH community. The Identity Access Management (IAM) team ensures that all requests for this information are handled by processes that are documented and regularly reviewed and approved by UH’s Institutional Data Governance Program (DGP). Any changes to IAM data sharing processes are first subjected to DGP review and approval.
Data Aggregation
UHIMS collects "person" information from UH's Human Resource, Student Employment, and Student Information Systems, and from additional systems-of-record in order to compose as complete a picture as possible of each person's set of affiliations with the University.
UH Person Registry
UHIMS aggregates the "person" data it collects in the UH Person Registry. The aggregation of this information helps with the formulation of a complete picture of a person's set of roles and affiliations within UH. Additional information, including contact information and employment information suitable for application authorization processes is collected.
Data Sharing
Authorized UH application developers may request UHIMS "person" data by utilizing the IAM online forms to officially make requests.
There are a number of IAM data sharing strategies available:
During Authentication: UH Login (Shibboleth and CAS)
A individual's successful authentication to an authorized online web application may result in the sharing of the individual's data from the Person Registry. The application may use that individual's data to determine what the person is authorized to access and how best to organize the presentation of the accessible content.
For Authorization: Grouper
An authorized application may check Grouper to determine if a person is a member of a specific Group or set of Groups in order to determine what the person is authorized to access and how best to organize the presentation of the accessible content.
For Event Management: UHIMS Events
An authorized application may consume UHIMS Events as they are published to the UH Message Broker in order to detect "person" updates that need to trigger business logic. For example, a person may transition from a single faculty role to Ohana, indicating that they are no longer employed by UH. This change may indicate that the person is no longer authorized to access the application.
Attribute Release Practices
IAM publishes its "Attribute Release Practices" for the UH developer community. An accompanying IAM Data Element Dictionary is also provided so that developers fully understand the Person Registry data that is being shared.
Data Governance
UH’s Institutional Data Governance Program provides oversight for the management of Institutional Data across the UH System. IAM data sharing practices are subject to DGP oversight and the IAM team regularly reviews its processes with the DGP.
Review and Oversight
IAM regularly engages the DGP to ensure that IAM data sharing practices are compliant with UH data sharing policies. The DGP has thoroughly reviewed all IAM data sharing processes and as IAM continues to explore new data to share and new ways to make "person" data available, IAM engages the DGP early and often.
Streamlining Data Governance for Developers
The DGP generally requires that a developer manually obtain a Data Sharing Agreement for each activity and for each system-of-record involved. IAM practices mitigate the need to do this in two ways: (1) aggregation, and (2) the IAM pre-approved data sharing process. By aggregating data UHIMS provides a single resource for the access of "person" data. Because the DGP has pre-approved IAM's data sharing practices, most developers will not have to obtain any Data Sharing Agreements in many cases.
Compare these two advantages to requiring developers to have to complete a Data Sharing Requests with each system-of-record for every new project.
Auditability
Requests for IAM data sharing are currently driven by Google Forms. DGP staff have access to the underlying data that is collected as requests are submitted. IAM data sharing practices are documented and reviewed by the DGP before each set of changes.