Identity Management

Definition: Account Provisioning

Account provisioning is the process of ensuring that a member of the Swarthmore community has access to the campus computing and network resources required to perform their function at or with the college. Access to certain systems and resources is based on a person's role within the college - whether that is as a student, faculty, staff member, or any combination. Additionally, Swarthmore needs to provide resources to other constituencies within, or external to, the college. Tri-college students, for example, need access to IT resources in order to participate in classwork undertaken at Swarthmore; contractors conducting business on campus, or guests of the college often require access to network and wireless service. Each role may require different types of services and/or access permissions to systems, and a person may be a member of several roles. It can often be difficult to verify, first, that a person is actually entitled to resources that they may be requesting and, second, that they are receiving all the necessary access appropriate for their role, or roles, within the college.

Definition: Identity Management

Identity Management is the practice of defining the various roles within the college, the resources and services that are required for each role, what constitutes membership within a role, and identifying individuals and assigning them to their role or roles.

History

Much of this work was previously accomplished in various ways using a combination of manual and automated processes and based on the constituency of the person(s) for whom the accounts were being provisioned. This often led to inconsistencies in access to resources, as the process and method for requesting accounts for students was different than that for staff, which was different than that for faculty, etc. Deprovisioning, closing and deleting accounts, was done inconsistently.

The Identity and Access Management Project

The Identity and Access Management Project at Swarthmore was undertaken to provide a way to provision accounts and services automatically. ITS has worked with HR, the Registrar's Office, the Provost's Office, and others, to identify the various roles along with their service requirements. Since membership in the most common roles can be determined from data in the College database, accounts can be created as soon as the qualifications for membership in a role exist in the database.

This means that the creation of most accounts is no longer dependent upon an action being taken by someone in ITS but rather by the normal day-to-day processing of the administrative offices of the college. A student is admitted, an employee is hired, or a tri-college student is registered in a class – those actions 'trigger' creation of the accounts. Likewise, as students graduate or employees leave the college the accounts can be de-provisioned, ensuring that those resources are available only to the rightful members of that role.

How does this affect you?

If you already have an account with Swarthmore, you shouldn't see any difference in your services. However, if you're a hiring manager, or are responsible for people requiring access to college systems, there are some important differences. The new account provisioning process is different in several significant ways. Previously, requests for IT services for new employees made their way to ITS through HR and the hiring manager, or through the Provost's office for faculty. Other requests were handled on a case-by-case basis. This is no longer required, as the process of account creation is done automatically.

  1. Accounts for students are created when the Admissions office admits a student for the new term (in the case of Swarthmore students), or when the Registrar's office records information for tri-college or visiting students.
  2. New accounts for faculty and staff are created as soon as Human Resources and/or the Provost's office are aware that a new employee will be starting at Swarthmore and enters their information into the database.
  3. In order to establish a new account, a new account holder will need to initialize their account by visiting the Swarthmore password management page, set up their security profile, and choose a password.

NOTE: Accounts will be created for all employees, including temporary employees.

How does this affect my new employee?

When HR completes the information that qualifies an individual as an employee, an email will be sent to you notifying you that your employee's account has been created. There will be instructions in the email on any additional steps that you might need to take, along with information that you will need to convey to your employee so that they will be able to set up their account. It is your responsibility as a hiring manager to ensure that the employee receives this information.

What are these 'additional steps' I might need to take?

Some services cannot be provisioned automatically, either because there is not enough information yet about the employee in order to determine what additional services are required or, for some systems such as Banner, those systems require that a hiring manager formally notify ITS in order to request specific access to information or processes within that system. Likewise, you may need to notify ITS about special requirements for your employee, such as phone number or extension instructions that only you can provide. The idea is to be able to provide a way for you to have everything ready for your employee so that when they arrive, they'll have everything that they need. ITS has developed an on-line form for you to fill out to request these additional services. For more information on this form, see the 'Additional Services for Hiring Managers' handbook.