Identity management requires:
The University of Texas Health Science Center at Houston (UTHSC-H) has
five authoritative personnel databases. Specific criteria, including
identity verification, must be met by an individual prior to him or her
being entered into one of these databases and designated as having a specific,
active affiliation with the university. These databases are the
Positive identification of all persons officially affiliated with the University.
Identity reconciliation - ensures a single individual is not identified
as multiple persons.
Assigning a perpetual, unique identifier (uuid) to each person.
Providing each person with digital credentials for authenticating his/her
Creating a single entry for each person in the university's directory service
Associating each person's directory entry with attributes describing that
person's university affiliation(s).
Inactivating a person's directory entry and digital credentials upon termination
of all university affiliations.
An individual may have multiple affiliations with the university and hence
be listed in one or more of these authoritative databases. For example,
an individual having a common name of Jane Doe may initially join the university
as a faculty member and hence be entered into the HRMS system. At a later
time, she may also become a School of Public Health student at which time
the registrar enters her into the SIS database. Jane now has two distinct
affiliations with the university; however, there is no enterprise awareness
that the "Jane Doe" entry in each of the two databases represents the same
Human Resources Management System (HRMS) - defines all current UTHSC-H
Student Information System (SIS) - defines all current students,
Graduate Medical Education Information System (GMEIS) - defines all current
Medical School residents and fellows, and
- University of Texas Physicians (UTP) Personnel System - defines all current employees of UTP
Guest Database - defines all formally recognized guests currently having
access to any UTHSC-H information system.
It is critical that these two entries for Jane Doe be recognized as
representing the same individual. Otherwise, Jane will encounter multiple
problems as she tries to pursue her roles as both faculty and student.
For example, if the process that creates e-mail addresses for individuals
at UTHSC-H views the HRMS and SIS entries as representing two different
Jane Does, then the "real" Jane Doe will be assigned two different e-mail
addresses. If Jane tries to access specific restricted resources, those
resources may view her as being two separate individuals and require her
to have to different sets of authentication credentials.
Integrated Directory Service functions, in part, to provide the university
with an awareness that any particular individual may be listed in more
than one of the primary personnel databases; and that this person has a
variety of different roles and associated attributes. In order for the
Directory Service to "know" that a specific person is listed in multiple
authoritative databases, an "identity reconciliation" process examines
all people entries in the four databases and determines if two or more
of these entries refer to the same individual. Once all database
entries for a single individual are known, a single entry for that person
is entered into the UTHSC-H Directory Service along with certain attributes
obtained for that individual from each of the personnel databases. These
attributes describe critical aspects of that person's multiple roles and
affiliations with the university. The identity reconciliation process
is provided by the Integrated Directory Identity System (InDIS).
When an individual's attributes within one of the primary databases
are changed, or if that person no longer has an "active affiliation" with
UTHSC-H as defined by that database, the attributes associated with that
person's entry within the Directory Service are altered accordingly. When
an individual no longer has any active affiliation with the university,
then that person's entry in the Directory Service is designated as being
"inactive". After 30 days of inactive status, his or her status is switched
to "decay". Subsequently, a person's entry is removed from the Directory
Service if its status has been set to "decay" for six months.
Copyright © 2003 - 2006
of Texas Health Science Center at Houston