Identity Management
Learn how the access and use of university systems and resources are managed and why it's important.
Identity and Access Management (IAM) provides the policies, platforms and processes to protect the university’s digital assets by defining and monitoring who, what, how, when and where those assets are accessed. 185,000 students, employees, alumni and guests interact with university systems more than 6 million times each year, and users with even minimal access can pose a huge threat to the security of the university.
The IAM team provides services to mitigate threats:
- Single Sign-On (SSO)
- Active Directory (AD) Authentication/Authorization
- Business Systems Authentication/Authorization
- DUO Multifactor Authentication (Two-Step Login)
- Security Group Access Management
User Access
Based on the specific information from a person’s Digital Identity Record, IAM uses their current role, level and situation to determine the list of resources and access that person is eligible for. This list is automatically evaluated each time changes are requested for the person.
IAM determines whether that user should be able to access a resource directly or through a Virtual Private Network (VPN), must go through Two-Step Login or needs to belong to a special security-cleared group to gain access.
Location and Time of Access
In addition to determining the types and methods of user access, IAM monitors the times and locations users are logging in for access to digital resources. Locations for access to UC San Diego resources can be limited, for example, to US Territories only. Access can also be excluded while the user logging in is located in certain geographical areas, based on possible security threats.
As the bad actors are getting smarter in manipulating users into exposing their credentials, IAM will soon be relying on Machine Language and Artificial Intelligence to create user behavior models to perform monitoring and alerts. These models could even help automatically cut off access in cases where the user’s action does not fit their behavior model:
Say a user always connects to resources between the hours of 9 a.m. to 5 p.m. from San Diego, California, and the system suddenly receives a connection attempt from Moscow at 3 a.m. There is a great possibility that this login is a threat and access should be cut off.
The Enterprise Identity Management (EIM) Project
The Enterprise Identity Management project was chartered to build a unique digital identity record for each individual who interacts with university systems and resources upon their first interaction with the university. This digital identity would be stored in a central location, creating a single digital source for the identity of each individual, maintained and managed throughout their time with the university.
Digital Identity Records could be used by university system administrators to see that a user already has a record before assigning roles and access to systems. As existing users change roles or status with the university, this registry and match system reduces the possibility that multiple accounts are created for a single person and that role assignments, access and updates are made for the correct person.
EIM Status
Before the launch of a completed EIM system, a failure was detected with the selected user registry and match system. After much testing and assessment, it was decided the best option was to cancel the launch of EIM. Effective November 1, 2023, the project was canceled. However, work continues on supporting systems and integration with systems outside of EIM while the team and leadership investigate options for a new registry and match system that will fulfill the university’s needs.
Visit esr.ucsd.edu/eim for more background on the EIM project and its closure, or contact the IAM team at identitymangement@ucsd.edu.