2013 IT Innovation Contest

A team-based contest for creative IT solutions

Application Access Management

Proposal Status: 

Project Desription:

For UCSF there are a significant number of enterprise web applications in use; currently, 84 are listed on the MyAccess site. For many of these applications, access administrators must manually assign access to individuals. Currently, there is no automated way to request access for an application.  The objective of this project is to create a uniform and centralized process for members of the UCSF community to request and grant access to many of the systems across the enterprise.

Deliverables:

  • Create a request web application with a matrix of applications to enable an application request function
  • Modify the MyAccess web application with a link to the request web application
  • Modify the EDS to store what applications the user has access to
  • Provide Access administrator or Application Security administrator a way to update EDS with access changes.
  • Email notification for the requester, approver, granter
  • Create reporting from EDS.

Impact on UCSF's mission and/or community:

UCSF can move to a more uniform and centralized process to request and grant access to applications across the university.  For individuals with access to the existing MyAccess web site, they will be able to submit a request for access to an application listed in the proposed new web application, if that application owner has worked to have it setup. A process will be defined for the setup, approval, and provisioning of access that will result in the following benefits:

  • A single place for 28,000+ users to not just to login into web applications but to also request access.
  • A defined process that ensures a simpler access provisioning process, leading to faster turnaround times and more opportunities for automation.
  • Better reporting and auditing of users and access to UCSF applications.
  • A more efficient service model for groups supporting the UCSF community (ie. Service Desk, IT field service groups, administrative offices, etc.)
  • Moderate to significant cost savings once all the phases are implemented derived from operational efficiencies and better security management.

Team members, roles, %:

Rebecca Nguyen

Project Coordinator

10-15%

Kevin Dale

Systems Analyst

10-15%

Freddie Tai

Developer - Application

20-30%

Mukesh Yadav

Developer – EDS

20-30%

Mimi Sosa

SME, UAT

10-15%

Orlando Leon

SME, UAT

10-15%

Comments

This is great.  I love to see this in action.  I have nightmare being an access administatror to manage the entire department with all financial, personnel accesses and more.  Though most of the requests are online, there is no single entry.  Especially I am the only access admin for the department, it makes my job even more challenging.

Good luck.

This is a much needed application to improve ease off access across UCSF, promoting an efficient and effective set up process for all users and adding controls to the process in allowing for monitoring of user access. This will take a lot of the mystery out of “where is my request” and “who does and doesn’t” have access

Another benefit to managers managing larger groups, is to have the ability to make sure that staff access is applicable to their roles as well as provide flexibility in mirroring access for new hires based on function. This should also assist with the on boarding and off boarding of temporary employees for both granting and terminating access. This would be very helpful for all. Good luck as you move forward. 

 

I am happy to hear about this; it’s long overdue.  Consolidating system application and auditing processes under one site is a great idea and would go a long way to saving access administrator time and reducing stress.  As campus systems continue to evolve and proliferate,  it makes sense to adopt a single storefront where all essential transactions and reports can occur. Let’s find a way to make this happen. 

Yes, I think a centralized access request system would be great. 

 

Currently I have to go through quite a few places – Weblinks, PeopleSoft (BearBuy, RAS & Journals), ERS, PAN reviewer, Advance, PI portfolio and Data Recharge each need a separate form that requires manual information entry (name, EID, email, phone, for me and the user).  If the user is able to initiate the request (and I assume the user information would be pre populated since they click through MyAccess), it would save me a lot of time.

 

The only thing I want to mention is that from the list of deliverables it wasn’t clear whether Access Administrators would have the ability to view current user access.  I would think some kind of a lookup tool for Access Administrator would be important.

 

Currently Access Administrators do not have a way to look up existing user access (except Weblinks and BearBuy).  I would have to do a search in my emails or use a recent audit report (not all systems are audited) to try to guess what the user had or check with the security administrator.  Sometimes the changes I am making would affect other roles (like journal approver and journal preparer are related roles; if I remove a journal approver, I would need to figure out the list of preparers that I need to move) and sometimes the DA would like to me copy access to a replacement user.  Having the ability to look up existing user access would avoid confusion and save time going back and forth with the security administrator/DA.

 

(submitted on behalf of MQ) I think this would be great. Intuitively users go to  MyAccess to find an application. It’s there were they should request access. However the system needs to me more than a “request” system. For example if someone is requesting to be an approver for BearBuy, but if this request conflicts with another user’s role in the dept. then the system needs to alert the requester that action cannot be taken for the following reasons. And there needs to be easy documentation for users to be able to read to select the correct permissions. The system needs to be able to check if prerequisites are met such as training. I think it’s important the system has intelligent programming and workflow otherwise it’s just another request system with a new location.

Commenting is closed.