Identity management at the Prague City Hall
Let’s take a look at how this issue was approached by the Municipality of the Capital City of Prague. Prague (hereafter referred to as MHMP), where they chose the open-source product IdM midPoint and the implementer AMI Praha a.s. as a tool for identity management.
From an IT perspective, MHMP as one of the municipalities in the Czech Republic has a total of approximately 2,500 physical users and over 70 different applications and systems. Similarly to other large institutions, it has developed its own user management and rights allocation processes during its existence in the information age. These have been relatively efficient in a number of respects, but at the same time difficult to transfer to an automated environment. At the same time, there were processes that were chargeable to a non IdM environment such as “Please assign Mr. XY the same rights as Ms. YZ”, which is very challenging in terms of ensuring currency and sustainability in such a large institution and number of applications.
Goals and expectations
Therefore, MHMP approached the new project in a rigorous manner and set the goal of creating a system that does not allow identity operations – creation, changes, termination, assignment and removal of roles – outside of the processes controlled by IdM midPoint. A necessary requirement was the reversible auditability of these operations. The goal was, among other things, to build a system that would guarantee MHMP’s compliance with the Cybersecurity Act and the applicable data protection legislation (GDPR) in their respective chapters.
The aim and de facto expectation was therefore to ensure user lifecycle management and access control to the MHMP end systems (meaning the office’s agendas), to gain control over any changes at the level of users’ organisational classification and to ensure that changes are automatically reflected in the end systems.
By implementing IdM to the required extent, the expected benefits of the project have been achieved:
- acceleration of access allocation to end systems,
- elimination of errors in assigning permissions (by removing the human factor),
- increasing security and manageability by centralising permissions management,
- supporting the enforceability of security policies in the area of password complexity,
- automating the creation of the basis for regular audits (who has access to which end systems, when and on what basis),
- managing roles with conflicting permissions (SoD),
- simplification of permissions management by creating a system of business roles (in the future, it will be possible to use the functionality of certification campaigns for regular verification of their actuality),
- automation of selected operations through rules,
- logging of all operations and support for audits.
Overall, the introduction of IdM has therefore speeded up and simplified the processes associated with the allocation of user permissions, automated the updating of permissions in end systems based on changes in the HR agenda and increased security and visibility of user access to end systems.
Analysis and design
IdM implementation projects require a comprehensive analysis of existing and required processes and functionalities, and this was no different in the case of the MHMP. The main tasks of the analytical part of the project were:
- map the existing general identity and permissions management processes,
- to identify what applications and systems MHMP actually use for identities,
- to analyse in detail the management of users, roles and, if necessary, the organisational structure in the systems and applications whose connection was required in the tender documentation.
Our team held analysis meetings with participants across the authority – representatives from internal application and infrastructure management, security, HR and, last but not least, representatives from the contractors to whom MHMP has delegated a number of IT technology management activities.
We cannot confirm the frequent statement about state and public institutions that “the left hand does not know what the right hand is doing”, we were pleasantly surprised by the regular information from parallel running projects. This has allowed us to use some of their outputs and to make our overall efforts more efficient.
For all systems, the MHMP has two types of guarantors – substantive, responsible for ensuring that the system correctly fulfills its “business” role in the institution, and technical, responsible for day-to-day operations. When analysing specific systems, we worked with information from both types of guarantors and, in the next phase, directly from the application suppliers.
Unsurprisingly, in general, all the MHMP staff we needed to speak to are very time-consuming. So the first big challenge of the analysis part was to get the right people together in the meeting room as soon as possible. And it was time to get started.
Our deliverable was a draft IdM implementation that counted on the HR system as the authoritative source of identities. There is a core set of accesses that are then automatically assigned to all new employees (Active Directory, agency systems). Managers request access to other applications for their subordinates. The advantage over the status quo is that once approved, IdM automatically establishes the access in the application via the integration interface, eliminating manual intervention by the administrator who is only notified of the access creation.
An important part of the design is the integration to the internal Service Desk, the aim of which was to maintain a single point of contact for end users. Thus, for example, if a manager wants to request access, he first goes to the Service Desk, from where he is automatically redirected to IdM at a certain step, where he selects a specific system and role. After confirmation, the approval process is started in IdM, which is fully integrated with the approval process in the Service Desk. Users find their items for approval in the same place as before, they are not forced to go to another system.
The IdM concept of the MHMP also foresees interfacing with individual municipal districts and municipal organizations, among other things, in order to manage users for the systems that the MHMP operates for some municipalities and MOs.
The easiest way to connect IdM to the end system is if the managed system uses Active Directory or a directory server available through LDAP as a user source. In other cases, it is necessary to build an integration interface using web services or a direct connection to the database.
Providing the interface on the managed systems side is the biggest risk to the project schedule. We encountered systems that had user management interfaces already in place, but also cases where the interfaces needed to be created or modified by their vendors, i.e. in the MHMP mode, to ensure the interaction of these vendors.
After the actual implementation, which was carried out by our experienced team according to the proven project methodology, the joint testing phase followed and thus again gathering busy project colleagues. Having representatives from all roles involved in the user management processes in one room proved very useful. This way we limited possible misunderstandings during remote communication.
At MHMP, manual identity management processes had been in place for a very long time and therefore change was not easy. We soon understood why our client-side partners emphasized the need for frequent visits to the right people and internal marketing in general.
Identity management cannot be imagined without clearly defined procedures. The project therefore included suggestions for changes to internal methodologies, setting up new responsible people and processes and of course the usual types of documentation, backup and disaster recovery plans and user manuals for the roles involved.
Current status and next steps
Currently, IdM at MHMP provides identity transfer from the HR system to Active Directory and user and access (role) management in several core systems, including the access card management application.
The implementation part of the project continues and in 2019 a total of approximately 20 systems will be connected to IdM. MHMP’s long-term goal is to use IdM to manage identities across all applications. However, their integration is not a prerequisite for achieving the main goal of managing the creation of all identities and assigning their rights via IdM. The system already manages all internal and external users and includes roles for applications that will not be connected online. IdM midPoint thus allows to keep track of access requests and actually assigned roles for all MHMP applications.
The Identity Management deployment project at MHMP has been and continues to be a great experience for both the customer and vendor side teams. The cooperation is now facilitated by the fact that we can see concrete and tangible results with clear added value behind the joint work.
Author: Petr Urban
This article was published in Egovernent 1/2019