Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

This is a draft document that may change significantly. It is to eventually be included on the IAM website.

Table of Contents

Overview

The UH Identity Management System (UHIMS) aggregates identity and contact information as well as roles and affiliations for each member of the UH community.  The Identity Access Management (IAM) team ensures that all requests for this information are handled by processes that are documented and regularly reviewed and approved by UH’s Institutional Data Governance Program (DGP).  Any changes to IAM data sharing processes are first subjected to DGP review and approval.

Data Aggregation

UHIMS collects "person" information from UH's Human Resource, Student Employment, and Student Information Systems, and from additional systems-of-record in order to compose as complete a picture as possible of each person's set of affiliations with the University.

UH Person Registry

UHIMS aggregates the "person" data it collects in the UH Person Registry.  The aggregation of this information helps with the formulation of a complete picture of a person's set of roles and affiliations within UH.  Additional information, including contact information and employment information suitable for application authorization processes is collected.

Data Sharing

Authorized UH application developers may request UHIMS "person" data by utilizing the IAM online forms to officially make requests.  

There are a number of IAM data sharing strategies available:

During Authentication: Shibboleth and CAS

A individual's successful authentication to an authorized online web application may result in the sharing of the individual's data from the Person Registry.  The application may use that individual's data to determine what the person is authorized to access and how best to organize the presentation of the accessible content.

For Authorization: Grouper

An authorized application may check Grouper to determine if a person is a member of a specific Group or set of Groups in order to determine what the person is authorized to access and how best to organize the presentation of the accessible content.

For Event Management: UHIMS Events

An authorized application may consume UHIMS Events as they are published to the UH Message Broker in order to detect "person" updates that need to trigger business logic.  For example, a person may transition from a single faculty role to Ohana, indicating that they are no longer employed by UH.  This change may indicate that the person is no longer authorized to access the application.

Attribute Release Practices

IAM publishes its "Attribute Release Practices" for the UH developer community.  An accompanying IAM Data Element Dictionary is also provided so that developers fully understand the Person Registry data that is being shared.

Data Governance

UH’s Institutional Data Governance Program provides oversight for the management of Institutional Data across the UH System.  IAM data sharing practices are subject to DGP oversight and the IAM team regularly reviews its processes with the DGP.

Review and Oversight

IAM regularly engages the DGP to ensure that IAM data sharing practices are compliant with UH data sharing policies.  The DGP has thoroughly reviewed all IAM data sharing processes and as IAM continues to explore new data to share and new ways to make "person" data available, IAM engages the DGP early and often.

Streamlining Data Governance for Developers

The DGP generally requires that a developer manually obtain at Data Sharing Agreement for each activity and for each system-of-record involved.  IAM practices mitigate the need to do this in two ways: (1) aggregation, and (2) the IAM pre-approved data sharing process.  By aggregating data UHIMS provides single resource for the access of "person" data.  Because the DGP has pre-approved IAM's data sharing practices, most developers will not have to obtain any Data Sharing Agreements in many cases.  

Compare these two advantages to requiring developers to have to complete a Data Sharing Requests with each system-of-record for every new project.

Auditability

Requests for IAM data sharing are currently driven by Google Forms.  DGP staff have access to the underlying data that is collected as requests are submitted.  IAM data sharing practices are documented and reviewed by the DGP before each set of changes.

 

  • No labels