Office of the CIO Services Catalog

Last modified on:06/11/2010

Nebraska Directory Services

Description

Nebraska Directory Services (NDS) is a centralized identity and access management service which enhances security and streamlines the management of employee, client, and partner access to applications, buildings, and services.

Nebraska Directory Services provides:

  • Enhanced Security
  • Single/reduced user ID and password to e-mail and applications
  • User self-service for resetting passwords and updating personal information
  • User provisioning (management: creation, modification, termination)
  • Role-based access to applications
  • Streamlined user administration
  • Available without rebuilding existing systems
  • Available without changing the way you do business
  • Plug-in technology, security need not be built into each application
  • Enhanced auditing opportunities
  • State Employee Pictorial Directory (eGuide) and organization information
  • Portal technology available, customizable for personal productivity

Business Value

Enhances security. Nebraska Directory Services provides a competent security infrastructure available to all agencies thus removing the need for duplication of expenditure and knowledge.

Streamlines employee management. Nebraska Directory Services allows for the one-stop set up of system ID’s and application accesses for new employees, including the setup of building access (if controlled by card access system). Nebraska Directory Services can also integrate requests for telephones, workspace, PC’s, etc. The system also facilitates quick, one-stop revocation of terminated employee’s access, reducing security exposures.

Simplifies application development. With Nebraska Directory Services, applications can be developed more quickly and at reduced expense since custom security code is not required. Office of the CIO has seen an approximately 25-30% saving in development, because the security has already been built.

Offers convenience to users. Users can use a single password to access e-mail and other applications. Users can reset passwords and update personal information.
These features save staff time and user frustration.

Customer Profile

State agencies, boards, and commissions; political subdivisions (e.g., cities, counties, community colleges and school districts); and federal agencies using Web-enabled applications requiring user authentication

 

Major Cost Drivers/Cost-Saving Tips

  • Make full use of the Nebraska Directory Services infrastructure for provision/de-provision users.
  • Because some problems are self-rectifying, prior to calling the Help Desk, close all browsers. After three minutes or longer, re-open a new browser.

Service Cost

CIO Services Catalog (pdf)
Section: Computer and Network Secutiry Services

Price

The service is included in Web-based applications.

How to Order Service (Service Procurement)

Available upon user account creation.

Responsibilities for Service Delivery

Customer Responsibilities

  • To utilize new user provisioning, the agency administrator should define roles, rules, applications and resources (e.g. building card access, read access to NIS, Lotus Notes ID) which are agency specific for setting up all new hires prior to arrival (i.e. zero-day start).
  • The application administrator is responsible for the administration of access control to individual applications or functions.
  • Individual users are responsible for resetting passwords and updating personal information.
  • Agencies are responsible for providing the ability to remove access to all applications and accounts upon termination of user.

Office of the CIO Responsibilities

  • Office of the CIO is responsible for maintaining the health of the infrastructure.
  • Office of the CIO will develop access controls for Web applications
  • Office of the CIO can provide centralized user administration (optional).

Service Goals

The enterprise directory will be highly available, engineered via redundancy, load balancing and failover:

  • Directory Authentication to applications will be available 99.99% of the time.
  • Measurements are gathered continuously and reported upon request.

Customer Prerequisites for Quality Service

Customers should provide detailed business processes for the assignment of access controls/roles/rights to individuals and or groups. For example, the Administrator Function would have the responsibility (or role) of deleting users. This function would be assigned to certain individuals or classifications of employees.

Sample Business Function

Sample Role

Sample Assignment

Administrator Function

Delete User

Steve Smith
OCIO Administrators

Support (Communications Procedure)

  • Contact the Office of the CIO Help Desk by calling 471-4636 or 800 982-2468 or e-mail Helpdesk@nebraska.gov.
  • Help Desk (GWI) ticket is created and priority assigned.
  • Ticket is tracked/tickled until resolution which includes customer notification of resolution.

Glossary/Expanded Explanations

Single User ID and Single Password - Allows the user to signon once to NDS and then to once to a specific application(s) with a password. This initial application signon is the confirmation that the person signing in is the same as the person signed onto NDS. Once signed into an application future signon to that application is not required.*

*Until the password expires and then only to change/update the password.

2-Factor Authentication - Logon process that requires a password or PIN plus another device such as a smartcard, biometric reader ( e.g. fingerprint or retina scanner) or one-time-use numeric key fob.

Provisioning Provisioning is where IT provides employees and external partners with user names and passwords, resets passwords when users forget them, and removes user accounts when someone leaves the company or changes jobs (roles) internally

Zero-day start - Provision Active Directory and Domino accounts, in addition to applications, building access, RACF, etc…

Role-Based Authorization Users are only allowed to see the information they are cleared to access. Restrictions with regards to read, write, and delete capabilities are also granted based upon their role. This greatly reduces the amount of administration while at the same time increasing the level of security.

Enhanced Security Single access to the State network – eliminating multiple entry points to the state network.

Secure API for Development The API is a proven, secure, standards based LDAP authentication and authorization mechanism that can now be leveraged by any developer, regardless of their experience or skill level.

Office of the CIO has seen an approximately 25-30% saving in development, because the security has already been built.

Streamlined Administration

  • Central directory – A repository for managing all users.
  • Delegated / centralized administration – Administration can be carried out either centrally or it can be delegated to the agency or their designated resource.

Single User Repository - When John Smith changes his e-mail address today, he must contact each individual application and / or agency to request a change to his profile, or risk losing access to some of all functions within that application. By employing a single user repository, when John Smith’s e-mail is changed, all agencies and applications can have that change ‘pushed’ to them programmatically, instantly.

User Self-Service User will have the opportunity to reset their own passwords via a forgot password link. This will require the user to correctly answer 3 security questions. If successful, their old password is e-mailed to them, and they are prompted to change their password immediately.

Users will also have the opportunity to update personal information, such as pager number, cell phone, home address, etc. In the future, this data will be synchronized with other repositories (NIS, Active Directory, and Lotus Notes). See Single User repository.