University of Texas Health Science at Houston Logo
Identity Management
Middleware |  Directory Service |  Authentication |  Authorization |  Digital IDs |  Systems

Conceptual Overview

Identity management requires:
  • Positive identification of all persons officially affiliated with the University.
  • Identity reconciliation - ensures a single individual is not identified as multiple persons.
  • Assigning a perpetual, unique identifier (uuid) to each person.
  • Providing each person with digital credentials for authenticating his/her identity.
  • Creating a single entry for each person in the university's directory service
  • Associating each person's directory entry with attributes describing that person's university affiliation(s).
  • Inactivating a person's directory entry and digital credentials upon termination of all university affiliations.
The University of Texas Health Science Center at Houston (UTHSC-H) has five authoritative personnel databases.  Specific criteria, including identity verification, must be met by an individual prior to him or her being entered into one of these databases and designated as having a specific, active affiliation with the university. These databases are the
  • Human Resources Management System (HRMS) - defines all current UTHSC-H employees,
  • Student Information System (SIS) - defines all current students,
  • Graduate Medical Education Information System (GMEIS) - defines all current Medical School residents and fellows, and
  • University of Texas Physicians (UTP) Personnel System - defines all current employees of UTP
  • Guest Database - defines all formally recognized guests currently having access to any UTHSC-H information system.
An individual may have multiple affiliations with the university and hence be listed in one or more of these authoritative databases. For example, an individual having a common name of Jane Doe may initially join the university as a faculty member and hence be entered into the HRMS system. At a later time, she may also become a School of Public Health student at which time the registrar enters her into the SIS database. Jane now has two distinct affiliations with the university; however, there is no enterprise awareness that the "Jane Doe" entry in each of the two databases represents the same person.

It is critical that these two entries for Jane Doe be recognized as representing the same individual. Otherwise, Jane will encounter multiple problems as she tries to pursue her roles as both faculty and student. For example, if the process that creates e-mail addresses for individuals at UTHSC-H views the HRMS and SIS entries as representing two different Jane Does, then the "real" Jane Doe will be assigned two different e-mail addresses. If Jane tries to access specific restricted resources, those resources may view her as being two separate individuals and require her to have to different sets of authentication credentials.

The UTHSC-H Integrated Directory Service functions, in part, to provide the university with an awareness that any particular individual may be listed in more than one of the primary personnel databases; and that this person has a variety of different roles and associated attributes. In order for the Directory Service to "know" that a specific person is listed in multiple authoritative databases, an "identity reconciliation" process examines all people entries in the four databases and determines if two or more of these entries refer to the same individual. Once all  database entries for a single individual are known, a single entry for that person is entered into the UTHSC-H Directory Service along with certain attributes obtained for that individual from each of the personnel databases. These attributes describe critical aspects of that person's multiple roles and affiliations with the university. The identity reconciliation process is provided by the Integrated Directory Identity System (InDIS).

When an individual's attributes within one of the primary databases are changed, or if that person no longer has an "active affiliation" with UTHSC-H as defined by that database, the attributes associated with that person's entry within the Directory Service are altered accordingly. When an individual no longer has any active affiliation with the university, then that person's entry in the Directory Service is designated as being "inactive". After 30 days of inactive status, his or her status is switched to "decay". Subsequently, a person's entry is removed from the Directory Service if its status has been set to "decay" for six months.

Last Modified: 
Academic Technology
Copyright © 2003 - 2006 The University of Texas Health Science Center at Houston

Valid XHTML 1.0 Transitional