This case study examines the enterprise Identity Management implementation undertaken at the Queensland Department of Education and Training in partnership with UNIFY Solutions. This study is the second in the series which provides an insight into the execution of the Identity Management implementation plan to achieve the Target Architecture discussed in the 1st case study on strategy and building the compelling business case.
To achieve great things, two things are needed; a plan and not quite enough time.
As a result of the long term, productive partnership between UNIFY Solutions and the Department of Education and Training; teachers, students and staff now have 24 x 7 online access to the information and applications needed to support teaching and learning in the 21st Century.
The future challenge and opportunity for the Department is to evolve the IDM platform to meet the increasing demand for access to digital services anywhere, anytime, on any device. Having a trusted strategic partner providing independent advice, certified IDM specialists and trainers, ensures the Department is in a strong position to meet these challenges and opportunities now and into the future.
A critical input into the Synchronisation Matrix was the IDM implementation sequence of components and deployment schedule phased across multiple years in consultation with key business units. The introduction of effective, streamlined security and authentication processes in order to provide secure, simplified access to information and services as envisaged by the ‘Smart Classrooms’ strategy in 2005 was realised in 2009.
Each of these major initiatives created either an upstream or a downstream dependency on the identity and/or access management components of the IDM system. To document, track and de-conflict these dependencies, an eBusiness Program Office was established in the Office of the CIO to provide governance and coordinated oversight of these initiatives. Two key outputs of the eBusiness Office were a high level roadmap and planner for schools and business units and a detailed Synchronisations Matrix which mapped each dependency, assigned owners and held quarterly forums of Senior Responsible Owners to provide updates and mitigate impacts of schedule changes.
Each school had access to view their data only and the tool was refreshed overnight which enabled schools and the data quality team to check progress. Schools were scheduled and if needed rescheduled depending the quality of their user identity data. Full achievement of the Identity Target Architecture was a four-year journey for the Department during which time there were a number of business critical applications deployed including a new centralised school administration system, major HR system upgrades, SAP Finance integration, eLearning systems, etc.
To meet this challenge and ensure the readiness of schools and business units prior to the rollout of IDM, a dedicated data quality team was established to support schools to address data errors prior to the deployment.
As a tactical response to assist schools in lifting the data quality, a web based tool was built to provide schools with a view of all local users and key identity attributes. The tool marked and colour coded any data errors, duplicates and other identity issues which then alerted the local Identity champions to correct in the school management system.
An IDM Project Office was established in partnership with UNIFY Solutions to ensure alignment with Department and Queensland Government Enterprise Architecture (QGEA) Policies. The key roles and responsibilities of the IDM Project Office were to:
IDM Project Office
- Define and document the IDM business rules, policies, dependencies, and governance.
- Deploy a provisioning capability to support all Staff and Students within the new Managed Operating Environment (MOE) being rolled out to all 1300 schools.
- Develop an Access Management Framework to support business critical applications including a departmental intranet, enterprise email and internet access and eLearning systems which were then used as a mandatory business requirement for the subsequent tender process.
- Procurement of an Identity and Access Management solution in alignment with the IDM Strategy; including a deployment and support model.
- Integration of key Primary Systems including HR, and the school management system(s).
- Ongoing integration of systems based on business priorities.
A significant challenge to the implementation was the lack of a single authoritative source for users and the required identity attributes with a further complication being the quality of data in multiple repositories and directories resulting in high numbers of duplicate identities and key attribute errors.
In order to execute the IDM implementation plan, the Department established the ICT Support Services for Schools (ISSS) Program to lead the implementation of an enterprise platform. The ISSS Program acted as a Program Delivery Office (PDO) and was responsible for the coordinated delivery to every school and business unit, the following:
- Development and deployment of a new Managed Operating Environment across the entire fleet of 200,000+ workstations, 2000+ servers, 12000+ network switches and routers
- Establishment of a central IT Service Centre
- Network bandwidth maximisation
- Identity Management
The first three initiatives were essential precursors to the IDM implementation. The PDO acted as a scheduling authority and conducted detailed forward planning to ensure sufficient lead time for readiness activities and the availability of specialist resources at the point of implementation which occurred in sequence at each of the 1300+ locations.
In response to this complex, distributed, unmanaged environment, a future state IDM system was defined as an integrated system of business processes, policies, and technologies that would enable teachers, students and staff access to departmental applications and resources — while protecting confidential personal and business information from unauthorised access.
The system would provide user registration, streamlined security and authentication processes, access rights and restrictions, account profiles, passwords, and other attributes required to support a ‘single student record’ and provide students, teachers, staff and eventually parents a secure, simplified access to information and services appropriate to their role.
UNIFY Solutions were appointed as the primary Identity Management Strategic Partner in 2006 following the release of a tender and establishment of EDPSA -132 - Identity Management Specialists.