The Enterprise Identity and Access Management (EIAM) program began 18 months ago to improve how people obtain and use accounts to access U-M services. The program came to an official close this summer. The program’s ambitious scope included the entire U-M community—Ann Arbor, Dearborn, Flint, and Michigan Medicine. With members from Information and Technology Services (ITS) and Health Information Technology & Services (HITS) working together, the team sought to reduce pain points and to plan for improvements into the future.
The EIAM Program coordinated identity and access management efforts for all four U-M campuses to improve and simplify the technology and administrative processes that allow authorized individuals to access U-M resources. The multi-year initiative was jointly funded through June 2018 by the Office of the Provost and Michigan Medicine.
“HITS and ITS together made significant strides in strengthening identity and access management governance and processes, while also expanding our understanding of long-term needs to support the entire university community,” said Nimi Subramanian, program co-director and IS director at HITS.
Positive impact felt today
- 15,000+ students, faculty, and staff* joining U-M since October 2017 created their uniqnames using a modernized onboarding process with improved communications, fewer obstacles, and mobile-friendly web design. 23% used a smartphone or tablet to set up their account, a task which was previously recommended only for a computer.
(*More specifically, staff and faculty joining the Ann Arbor, Dearborn, and Flint academic campuses; and students joining the Ann Arbor and Flint campuses.)
- 1,600 students joining UM-Dearborn since October 2017 used a new Uniqname & Account Setup app, which gave Dearborn students the option to select their own uniqname for the first time.
- 34,000+ Michigan Medicine employees now enjoy improvements in a number of areas including simpler, automated email communications to new hires that trigger setup of their accounts and passwords, streamlined onboarding processes that cut the number of calls to both ITS and HITS Service Desks, and an enhanced group management tool to manage distribution lists and access to shared network drives.
- 4,600+ people use a social account (e.g., Facebook, Twitter, LinkedIn) each month to use resources provided by the Alumni Association or HathiTrust Digital Library. Five additional groups are interested in offering social login for a service soon.
- 22,500+ people on average who reset their UMICH (Level-1) password by contacting the ITS Service Center each year now may reset their password on their own more easily with improved screens, more convenient help links, text message password reset codes, and UMID or birthdate instead of security questions. We are on track this year to see 10,000 fewer password reset requests to the ITS Service Center.
- 1,700 people piloted a new prompt to review and update password recovery information after Weblogin—with the new feature rolling out to the entire U-M community over the coming year.
- 20,000+ people in the College of Engineering (about 20,000 students, faculty, and staff), Shared Services Center (about 60 staff), and UM-Dearborn (about 10 staff) will soon have a small portion of their access managed automatically.
Listened today to impact tomorrow
The program team conducted more than 100 interviews with interested groups across the university to better understand current challenges and opportunities for improvement. The knowledge gained from listening to the community was invaluable in setting the right direction for efforts lasting beyond the program’s end date. These efforts include:
- Recommendations to address concerns about uniqnames include creating email aliases to give people more flexibility, and making uniqnames easier to change when a life event occurs. Longer term recommendations include replacing uniqnames as the primary identifier in systems with a more flexible option.
- Growing the use of the newly-acquired Identity Governance tool to provide role-based access to all campuses, including Michigan Medicine. Use of the tool requires groups to strategically define who should receive access to what and why, and will be slowly adopted over time.
- A “bridge” between the directory systems for the academic campus and Michigan Medicine was designed to more easily share identity and group data in the future. The future technical solution will reliably and accurately pass information between the two directories.
- Michigan Medicine explored a need for consistently clear and strict controls to help secure data. After establishing a model to analyze data security and conducting a pilot, the team made recommendations to establish and maintain an application database and implement regular internal monitoring and auditing.
- Recommendations for appropriate steps to verify an individual’s identity before they access university resources based on risk associated with the access.
While the program is ending, the work to improve how people receive access to the resources they need to contribute to the university’s missions of research, education, patient care, and community engagement is not over.
“The recommendations and research resulting from the program will be useful to the Identity and Access Management teams in ITS and HITS for years to come. Our teams are looking forward to carrying forward the EIAM vision in ongoing support work and in future projects,” said DePriest Dockins, program co-director and assistant director of ITS Identity and Access Management.
The Role and Access Management Project (RAMP) will continue in ITS as the Identity Governance Early Adoption project in FY19. Identity and Access Management teams in ITS and HITS will prioritize and implement recommendations from the EIAM program over time as future projects.