Identity Management Is All About You

From the moment we become a member of the university community, we are assigned an Ohio State Username (lastname.#). Our identifying information gets transferred to various systems and modified as we transition from student to alumni to employee to retiree. But how does the university manage all of these transitions in information and affiliation type? How do we use a username and password to tell the difference between you and E. Gordon Gee and a newly enrolled student? Importantly, how do we ensure accuracy, security and privacy protection? Over time, Ohio State built a complex network of business processes and technology systems to create and manage the 1 million plus identities coming across its doors. In August 2011, the Identity and Access Management (IdM) Program implements the foundation of a new IdM system that streamlines these processes. In addition, IdM establishes my.osu.edu – the university’s new site for ensuring the Ohio State community has a user-friendly and secure means of activating their account and quickly gaining access to university resources. The key changes to recognize and familiarize yourself with are:

  1. Identity Activation: A consistent, secure, self-service process for all new individuals, including student applicants, students, employees, and guests.
  2. Sponsored Guest Administration: Providing a tool and means for individuals distributed across the college and VP areas to create and manage guest accounts.
  3. No Longer Affiliated: Facilitating timely removal of access for individuals who are no longer affiliated with the university.
  4. Password Practices: Enforcing the university’s standard password practices and synchronizing password changes with connected systems and the university’s authentication methods (Shibboleth and Kerberos).

Identity Activation Identity activation is required for all new individuals, regardless of affiliation, and includes a self-service process in which a user requests an activation code, establishes a password, answers security questions, and defines e-mail delivery. An added benefit of the new IdM system is that individuals can now receive access to university resources within minutes from when their username was generated. In addition, all new faculty and staff members will automatically receive an account on the new University E-mail Service (Exchange). A sponsored guest is an individual who requires access to university resources with an Ohio State Username (lastname.#) and who does not have a current affiliation, such as a consultant. A sponsored guest could also be an employee who left the university, but has a continued need for access. My.osu.edu provides the online tool for guest access requests and updating personal information for active guests. College and VP units will own the creation and management of the guests within their area. As such, a new role – Sponsored Guest Admin Authorizer – has been created to identify the individuals with the authority to name Sponsored Guest Administrators for each organizational unit. While the Sponsored Guest Administrator will be responsible for the data entry of a guest, the new authorizer role and process will help units identify and manage individuals requiring access to university systems. In addition, the IdM system enables the university to identify whether or not an individual has had a prior relationship with the university, therefore preventing the creation of duplicate identities. No Longer Affiliated (NLA) An active appointment status (including non-salaried) is equivalent to authorizing security access to university systems. The NLA inactivation rules address this risk by restricting access after employment termination. Recognizing the need for continued communication in certain circumstances, an employee terminated (not for cause) will have their lastname.# access inactivated on the effective date of termination, but may continue to receive e-mail forwarding to a personal e-mail address for 60 days. The improved sponsored guest process will also allow departments to identify instances where an individual needs a renewal of access. A major increase in security posture is achieved by IdM’s ability to immediately terminate access for someone who leaves the university for cause. Password Practices IdM has the ability to synchronize a password among the systems it is connected to and to enforce the university’s password practices. The foundational release focuses on the Ohio State Username (lastname.#) account and password, and eliminates the need for a separate logon for OSU Wireless. Once users visit my.osu.edu and reset their password, their new password will be distributed to connected systems and OSU Wireless will use their lastname.#. The improved password practices better assure the university’s security stance and better protect the online collaboration vital to the success of our research and academic missions. The timeline for migrating individuals to the new standards is explained in Your Password’s Days are Numbered. If you would like to know more about these changes, contact Diane Owens, program director, at owens.3@osu.edu.