Financial Systems User De-Provisioning
  1. Home
  2. Projects
  3. Financial Systems User De-Provisioning
  4. Completion Report

Completion Report

Project Summary:

Workpackage 1 (WP1)

eAuth currently sits on the Cold Fusion9 platform hosted by Windows. CF9 ceases to be supported by Adobe at the end of this (calendar) year and by default requires upgrading to Cold Fusion11 hosted on Linux ( the host of preference)

It was an ideal opportunity to implement the Bamboo automated build,test and deploy coding application.

 

Workpackage 2 (WP2)

Leavers of the University

 

Workpackage 3 (WP3) 

Internal University Transfers - De-Scoped

 

Summary for WP2 & WP3:

When staff/students/researchers etc. leave the University or change status, there is no formal process to remove their access to financial downstream systems.  This could potentially result in unauthorised people gaining access to confidential information or submitting financial claims. This proposal is to review & enhance the process of de-provisioning user accounts so that access to financial systems is withdrawn in a timely manner. External Auditors raised this as a management letter concern when auditing the financial accounts last year. Architecture group have also raised this as a concern. Finance management has committed to Audit & Risk that action will be taken on this matter

 

Scope:

No Description Project stayed within scope? (Yes/No); Reason if not.
WP1-S1 Linux Cold Fusion11 - decommissioning of eAuth CF9 Yes
WP1-S2 Bamboo automated build,test and deploy coding application Yes
WP2-S1 All leavers with access to any/all financial downstream systems. Yes
WP2-S2 eAuth: Financial downstream systems Yes
WP3-S1 All internal University transfers with access to any/all financial downstream systems. No - De-scoped - PICCL #4 WP3 more complex than first imagined
WP3-S2

eAuth: Financial downstream systems

 No - De-scoped - PICCL #4 WP3 more complex than first imagined

 

Objectives:

No Description Objective Met?
WP1-O1

Workpackage 1.

Like for like working

 Yes
WP2-O1

Workpackage 2.

De-provision unauthorised user accounts in a timely and automated fashion.

 Yes
WP3-O1

Workpackage 3.

De-provision unauthorised user accounts in a timely and automated fashion.

 No - Objective de-scoped - PICCL #4 WP3 more complex than first imagined

 

Deliverables:

No Deliverable Description Deliverable Met?
WP1-D1

Upgrade eAuthorisation from CF9 from the Windows hosting (Compliance) onto CF11 Linux hosting (Discretionary).

 

 Yes
WP1-D2

Implement Bamboo automated deployment tool

No

It was not deployed as part of FIN115, but deployed later as part of FIN111
WP2-D1 Draft and formalise a process for the de-provisioning of unauthorised user accounts. Yes
WP2-D2 Draft a policy framework for leavers

Yes - documented on Wiki

https://www.wiki.ed.ac.uk/display/Finance/eAuthorisations+Help
WP2-D3 Automate the de-provisioning of manual financial downstream systems user accounts. Yes
WP3-D1 Draft and formalise a process for the de-provisioning of unauthorised user accounts. No - de-scoped
WP3-D2 Draft a policy framework for transfers No - de-scoped
WP3-D3 Automate the de-provisioning of manual financial downstream systems user accounts. No - de-scoped

 

Benefits:

No Description Benefit Realised?
WP1-B1 Application long-term viability (extending the lifetime of the servers/CF version), future proofing and consistent approach to Finance applications. Yes
WP1-B2 Automated deployment, removes errors associated with manual deployments No - it ended up being manually deployed due to problems faced at the beginning of the project that meant that this was not the case.
WP1-B3 Linux: virtualised capacity increase capability Yes
WP2-B1

Increased security of financial systems

  • Unauthorised people (leavers) unable to gain access to confidential information.
  • Unauthorised people (leavers) unable to submit financial claims.
  • Improved compliance with the University's security policy in relation to leavers
  • Improved compliance with the University's data protection policy in relation to leavers
 Yes
WP3-B1

 

Increased security of financial systems

  • Unauthorised people (movers) unable to gain access to confidential information.
  • Unauthorised people (movers) unable to submit financial claims.
  • Improved compliance with the University's security policy in relation to movers
  • Improved compliance with the University's data protection policy in relation to movers
 No - De-scoped in PICCL #4 WP3 more complex than first imagined

 

Success Criteria:

No Description Criteria Met?
WP1-SC1 Like for like working Yes
WP2-SC1 External Auditors are satisfied that their concerns regarding leavers have been addressed and are no longer applicable The recommendations are addressed.  This can only be confirmed the next time External Auditors are on site.
WP2-SC2 Architecture Group are satisfied that their concerns regarding leavers have been addressed and are no longer applicable Yes (Dave Berry confirmed 06/06/2017)
WP2-SC3 Audit & Risk are satisfied that Finance Management have delivered on their commitment regarding leavers Yes (Confirmation received from Noel Lawlor - Chief Internal Auditor, Internal Audit - 21/07/2017)
WP3-SC1 External Auditors are satisfied that their concerns regarding movers have been addressed and are no longer applicable No - De-scoped in PICCL #4 WP3 more complex than first imagined
WP3-SC2

Architecture Group are satisfied that their concerns regarding movers have been addressed and are no longer applicable

 No - De-scoped in PICCL #4 WP3 more complex than first imagined
WP3-SC3 Audit & Risk are satisfied that Finance Management have delivered on their commitment regarding movers No - De-scoped in PICCL #4 WP3 more complex than first imagined

 

 

Analysis of Resource Usage:  Staff Usage Estimate: 100 days

Staff Usage Actual: 168 days

Staff Usage Variance: 68%

Other Resource Estimate: N/A

Other Resource Actual: N/A

Other Resource Variance: N/A

 

Explanation for Variance:

20 days were on account of challenges that impacted on Workpackage 1 (WP1) development due to eAuth not being completely understood and existing issues with the system, specifically the export function, expenses and search function - as referenced in Change #6

10 days were on account of requests for further development associated to JIRA FIN115 – 39 EST eAuthorisations: Deprovisioning job email & developing a sub system push script to set LIVE accounts inactive that have no IDM record - as referenced in Change #7

32.5 days were on account that WP1 was a lot more complex than originally estimated, the project faced were the problems around timing out / crashing the finance instance.  These were caused / started happening immediately after the move to Linux and were something that had not previously been experienced on Windows.  Thorough testing of eAuthorisations resulted in underlying issues being identified that it was not clear if this was down to the ColdFusion upgrade or if they were already present in the system.  As a result of this the over all project experienced a number of 'bugs' during acceptance testing that it was not certain if these were existing bugs or ones that had been caused directly as a result of its development.  PICCL's - Change #10 & Change #11 describe the agreed budget increases and Issue #9 describes the unexpected / high number of bugs encountered.  

The remaining variance was as a result of the governance that was  required in getting all of the bugs fixed, tested and the project closed off.

 

Key Learning Points:

Successes: 

  • Teamwork - all members of the project group worked concisely and communicated well with each other
  • Extremely thorough testing / time spent on this project by the Finance Team in testing
  • Migrated to CF11 - extending the system life expectancy / ability to support
  • An inexperienced tester on this system helped gain a pragmatic view on testing / helped achieve success
  • Conduct more efficient and conducive requirement and initiation meetings.  BA mapping the as is process made it far clearer to understand as there was a lack of previous system use knowledge
  • It is live!

Areas for Improvement:

  • Be aware of existing system bugs ahead of development / manage expectations in terms of what bugs can be fixed, or are attributed to a project - 'as is' testing!
  • The ability to be able to select a system and see all existing / outstanding bugs ahead of the start of any project would be hugely beneficial
  • Consistency (non-change) of key project staff - PM, Lead Developer and BA all changed during this project
  • It was questioned as to why the WP1, upgrade to Linux from Windows, was not handled as an entirely separate project in the first place as it impacted not being able to deliver WP3 so adversely

 

Outstanding issues:

  • Closure of accounts from older finance systems where the user has been set to inactive on eAuth but they could remain active in the sub systems due to legacy issues.  Script to be run against each system once the users have been identified (to be completed through standard Production Support).  Risk / likelihood is these considerations live with these other systems, not eAuth.
  • Project Team agreed that JIRA FIN115-69- LIVE eAuthorisations: error running bulk deprovision of UUNs with active roles in eauths who are not in IDM - would remain open until the bulk job deprovisioning the inactive users had completed.  This job runs nightly deprovisioning 25 active users at a time.  This job is expected to complete within the next week.  Once it has completed this JIRA will be updated to state that the job is complete and closed.
This article was published on

Project Info

Project
Financial Systems User De-Provisioning
Code
FIN115
Programme
Finance (FIN)
Management Office
ISG PMO
Project Manager
Richard Bailey
Project Sponsor
Lee Hamill
Current Stage
Close
Status
Closed
Start Date
01-Aug-2016
Planning Date
n/a
Delivery Date
n/a
Close Date
16-Jun-2017
Programme Priority
2
Overall Priority
Normal
Category
Compliance

Documentation

Close