Identity management (IDM) at the University of Twente

Identity management (IDM) is part of IT security and enables staff members, students or guest users (external parties) to access the right ICT facilities at the right time and for the right reasons.

IDM covers all of those processes and techniques involved in the management and use of electronic identity data. Electronic identity data is used for the authentication, authorization and personalization of services. The data involved (generally in the form of an ICT account) is used to establish who you are and whether you have the authorization to access a service (often an ICT facility, such as an email account, the electronic learning environment, etc.). The processes cover the entire life cycle of an electronic identity, from the time of enrolment (or appointment) to the end of the study programme (or termination of employment).

The technology involved comprises several information systems that are connected to each other. The Twente Account Provisioning (TAP) system is the system that creates, modifies or disables ICT accounts (also called 'provisioning' for short).

TAP offers the following functionality:

·

Retrieves staff details from the HR information source holding staff data.

·

Retrieves student details from the Osiris information source holding student data.

·

Saves data for external accounts (non-staff members and non-students).

·

Issues an initial password and a unique email address for new users of an ICT account.

·

Defines the conditions under which a user receives an account and the length of time that account remains valid (Life Cycle Management).

·

Provides personal email and account information to the various systems, including Oracle and Blackboard (Account Provisioning).

·

Defines the requirements for the creation of passwords and email addresses (password & email policies).

·

Ensures monitoring along the entire provisioning chain.

·

Makes a self-service web application available, using which all users can change their password and staff are able to manage their email aliases.

·

Makes a web application available to administrators within which various roles are defined for changing user passwords, monitoring the status of an account (along with all of the associated account resources), or disabling and re-enabling accounts.

·

Offers the possibility of entering external users for applications such as Blackboard and of managing these.

·

Compiles files for sending to students and staff along with the welcome letter.

·

Sends a notification by email to users whose account will soon expire.

·

Sends a password change request by email to users whose password validity will soon expire.

The personal and contact details of staff and students in TAP are refreshed several times a day using the HR and Osiris source systems respectively. TAP processes any changes within an hour. The disabling of an account is processed immediately.

New staff and students receive a welcome letter, an email address and an account with an initial password.

The account details for new external parties and Blackboard users are sent by email to the email address outside of the UT that was submitted.

TAP synchronizes all account details with the various systems, including Blackboard, for example. TAP supplies the data required for authentication purposes to the two authentication directories, AD (primarily workplace related) and OID (primarily application authentication). During the authentication process, a check is made to see whether the account is already active and whether it has already been deleted or disabled, and whether the current password has been used.

Account termination

·

Accounts are disabled once they have reached their termination date.

·

The termination date for an account is determined on the basis of the date on which the person's relationship with the University ends and is extended by a specific transitional period.

·

Individuals receive a notification of termination by email one month before the termination date. The notification states the date on which the account will be closed.

·

Individuals are still able to log in and use the ICT facilities on offer during the transitional period so that, for example, they can transfer emails and files to personal drives.

·

If an account is terminated, then it is allocated a disabled status in TAP and access is denied. The resources (email, files) associated with the account are, however, saved.

·

The account can only be deleted if the retention period for the resources has expired.

·

The length of the transitional period, the retention period and the way in which an individual's relationship with UT comes to an end is different for each target group.

Target group

When the relationship ends

Length of transitional period

Retention period

Email plus home drive

Bachelor's or master's student

Expiry date of last enrolment

100 days

1 year

Non-bachelor's and non-master's students

Expiry date of last enrolment

1 month

1 year

Administrative and support staff

Expiry date of last appointment

1 month

4 years

Doctoral candidates

Expiry date of appointment or date of doctoral degree defence and ceremony if this is after the expiry date

12 months

4 years

Academic staff

Expiry date of last appointment

12 months

4 years

External parties

The expiry date can be set to a maximum of 1 year from the opening of the account (extensions are possible). If the applicant leaves his or her position, then an alternative applicant must be entered.

No transitional period

No email account

Terminology

Description

Explanatory notes

AD

Active Directory from which all Microsoft services (particularly the workplace) are supplied.

External parties

Individuals who are not students or staff and need access to the UT's IT facilities, for example internet access, temporarily.

Identity management functionality

Account creation, modifications, termination, monitoring of account life cycles.

IDM

Identity Management or Identity and Access Management.

HR information source

The UT's staff information system.

Osiris information source

The UT's student information system.

Non-bachelor's and non-master's students

Students not enrolled at the UT but who do follow a number of courses or non-funded programmes or an educational programme at the ITC.

Oracle OID

Oracle Internet Directory, accounts information for web applications / Oracle applications.

Provisioning

Creation and management of account life cycles.