Identity and Access Service systems control user authentication and access to services, resources and data. Authentication is the process by which a user identifies themselves, most often through a userid and password. Access management determines which services, resources and data an authenticated user can access.
UCL’s current Identity and Access Services were developed over 15 years ago and now offer limited functionality when compared to modern alternatives. While they offer baseline functionality and are secure, they are insufficient to meet the needs of TOPS. For instance, granting access to new services, resources or data is a manual process that takes time and the options for self-service account management are limited. Because the technology has evolved over many years, the technology is fragile and this makes change difficult and time consuming.
Providing modern and effective identity and access services will provide the underpinning infrastructure needed to realise the TOPS vision of more effective self-service, swifter provisioning of services and greater levels of automation.
It is useful to look at identity and access services in terms of five main building blocks:
– Identity data management: Ability to manage a person’s identity information through a ‘UCL Account’, for instance their password
– Authentication: Identification of the person seeking to access services or data, typically using a username and password.
– Authorisation: Effective control of access to services and data and authenticated person has access to.
– Audit: Ability to periodically validate who has access to particular services and data
– Self-service: Ability for staff and students to manage their ‘account’ information and request access through self service
Currently identity data management and authentication are the most effective elements of the current technology set. Most UCL systems already use a common identifier (userid) and most use common authentication credentials (password). However, there is space for improvement including the provision of self-service account management.
This project will build on this foundation to improve other areas and in particular authorisation to assure, discover, apply and maintain access rights for resource consumers and providers. In the past, this has not been an area of standardisation nor one that has taken a service-oriented approach. Consequently, each professional service area has developed a multitude of workflows ultimately concerned with processing access rights. Additionally, this has meant the ability to report on authorisation is time consuming and/or manual activity based. The project will also be concerned with how access rights are reported to resource owners and individuals for purpose of security and audit.
There is also a self-service requirement since the customer should be able to self-manage access to resources either for themselves or for resources they own.