10,456

That’s the number of permissions requested by the U-M community since January 2017 for just one system. In this case, it was to add or remove M-Pathways roles in Financials & Physical Resources System. Countless more access requests for universitywide or unit-specific systems or resources happen daily.

Determining the correct level of access in multiple systems is an arduous task that needs to be done every time someone joins the university or takes on new responsibilities. It often requires in-depth knowledge of both the system and how the person will need to use it. Requesting access takes time, creates a great deal of administrative burden, and adds up to a staggering amount of effort spread across the entire university.

Creating a new tool to manage access

The Role and Access Management Project, part of the Enterprise Identity and Access Management (EIAM) program, selected and began to create a tool to improve how access is granted and revoked at U-M. It is designed to accelerate start-up time for new employees, improve data security, replace some manual processes, increase the ability to track and report on access, and simply make it easier for authorized individuals to access the right U-M resources when they need them.

Over the last year, the project team members from Information and Technology Services (ITS) and Health Information Technology & Services (HITS) worked with academic, clinical, and administrative partners to conduct a thorough request for proposal. In January 2018, the cross-campus team selected the Identity Governance tool to provide the new capability to all U-M campuses, including Michigan Medicine.  Learn more about the team’s selection process.

Benefits of role-based access using Identity Governance

When used with a system or application, Identity Governance will help make sure individuals can access the right resources for the right reasons. Additionally, the tool is designed to answer who has access to which resources, and when and why that access was provided.

The two teams are working towards using the tool to demonstrate the following benefits:

• Streamline access – Permissions in multiple systems and applications can be grouped together to assign to a person who needs them to perform a job function. Instead of requesting multiple system permissions, the permissions can be assigned as a group—manually or automatically.
• Automate access – Permissions can be automatically assigned and unassigned when a person meets pre-defined criteria. The criteria is based on a person’s digital identity at the university, and may be defined using relationship to the university, department, job title, enrollment data, and/or other attributes. People with the specific identity attributes will receive the access, eliminating the need to manually manage access for each person and significantly reducing turnaround time.
• Pre-approve access – Instead of approving individual permission requests for each person, the criteria and permissions are defined and approved in advance by business process owners, application owners, data stewards, and others responsible for managing access. Tailoring the permissions and criteria to fill specific business needs requires an in depth knowledge of the business processes and system permissions, and will require changing practices around access approval.
• Enhance security and compliance – The correct amount of access is easier to identify, providing an alternative to requesting too little or too much access by “modeling after” someone else. Flexible reports by user, role, group, or application are available for audits, governance, and user support. Access will automatically be updated when a person changes jobs, changes departments, or leaves the university. The tool can be also used to better meet required compliance regulations.

Next steps for Identity Governance

Release and expansion plans for Identity Governance will be tailored to the unique needs of the academic campuses and Michigan Medicine. ITS and HITS will continue to collaborate, but plan to approach the tool adoption in different ways.

Academic campuses

ITS and three campus partners will conduct an early adopter phase through December as the Identity Governance Early Adoption project. The College of Engineering, Shared Services Center, and UM-Dearborn will use the tool to automate access for off hours building access, M-Pathways FIN PeopleSoft Procurement roles, and Banner access for Financial Aid Administration, respectively. The team will demonstrate the Identity Governance tool’s key features by automatically granting and revoking the right access at the right time for a targeted population of individuals in select systems.

ITS will use our findings from the early adoption project to determine plans for further expansion of Identity Governance to more units and to integrate with more systems. Future rollout and availability of the tool will be prioritized based on amount of effort required to integrate systems and adjust business processes, addressing the most significant pain points, and improving the areas with the most manual effort required for managing access.

Subscribe to updates from the ITS Identity Governance Early Adoption project. If you have questions about the early adoption period for the academic campus, please contact the project team at its.identitygovernance@umich.edu.

Michigan Medicine

During the Role and Access Management Project, HITS partnered with MiChart and other service providers to connect systems with Identity Governance to standardize, enhance, organize, and simplify access. In doing so, they will build a framework to test and validate the tool’s ability to streamline and automate access assignments and reduce manual effort while increasing accurate control.

Visit the Role and Access Management Project webpage to learn more about Identity Governance.