Group Services CIO Council Update Jan. 9, 2017 Monday 3:10 – 3:30 p.m. Smith 561
Purpose and Intended Outcome Describe the strategy for delivering Group Services Intended Outcome: Validation of the need for a formally managed IT Service for groups Feedback on the proposed phased strategy
Why an IT Service for Groups? Because groups are an essential component of all other IT service delivery Groups Enable Everyday Business Objectives Access Control Enabling access for the right people Dissolving access when people leave Communication Emailing or texting messages to targeted audiences Collaboration Document sharing File sharing (individuals and groups) Online conferencing
4/21/2018 Define “Group” A group is a list of identities (subjects) who hold membership. Affiliation Services Employee VPN Member Student Intranet Active Access Alum Application Tenant Building
Silos to Service Group Service Current State: Every app for itself Redundant, overlapping Managed manually, static Inconsistent Not trusted Future: IT service Institutional, integrated Updated automatically Consistent Trusted
4/21/2018 CIO Feedback Meetings with 10 members of CIO council revealed agreement on several points: HUIT Group Service should: Provide an IT service including advisory services and technical integration options Create groups based on authoritative HR and student data Focus initially on reference groups and HarvardKey integration Common Concerns and Challenges: Enabling collaboration with non-Harvard, externally based users (without Harvard identity) Providing a user-friendly way to create ad hoc groups, avoiding redundant groups Making use of group services with Microsoft collaboration tools easier
Vision for Group Services Key Performance Indicators Service Vision Vision for Group Services Enable IT service providers to easily secure their services and provide a consistent user experience through ready access to accurate data Strategic Objectives Provide an IT service that enables other IT services to meet requirements for access, collaboration, and communication Support delegated administration of groups Provide standard API options, and integration with HarvardKey Guiding Principles Deliver service in phases Base solutions on Grouper from Internet2 Deliver offerings in response to prioritized use cases Ensure accuracy and performance Key Performance Indicators Number of applications and web sites that are supported through groups with HarvardKey (adoption) Number of reference groups Number ad hoc groups (adoption) Number of groups actually used (ratio to created)
IAM Future State Services and Offerings Current Service # offerings End User Computing Collaboration Services 3 offerings Email and Calendars 6 offerings Field Support Services Network Services Phone Services IT Provider Services Cloud Services HUIT Support Tools and Systems Identity and Access Services 4 offerings Server Administration Web Hosting IT Security Information Security Education and Consulting Information Security Operations and Engineering Future Service # offerings End User Computing Collaboration Services 3 offerings Field Support Services Network Services Phone Services IT Provider Services Cloud Services HUIT Support Tools and Systems Identity and Integration Services Server Administration Web Hosting IT Security Information Security Education and Consulting Information Security Operations and Engineering 13 Services Offerings 6 Services Offerings FUTURE OFFERINGS Collaboration Services Account and HarvardKey Services Email and Calendar Groups and Guests Identity and Access Integration Services Identity Data and Provisioning Identity Repositories Authorization Services
Integration Required to Benefit from Group Services Service providers and application owners will need to plan for development to integrate with Group Services Options for Integration with Group Services include: Attributes/Authorization with HarvardKey RESTful API Using Directory Services LDAP Active Directory Direct provisioning of group data
After FY17, expansion is dependent on resources and priorities. Timeline FY17 FY18 - 19 FY19 + Foundation Expansion Non-People Reference Groups HarvardKey integration Delegated group management Authorization with HarvardKey API integrations with early adopters More reference groups Expansion of delegated group management Use Cases including: iSites Group Service retirement (Open Scholar, Wiki, Blog) Courses AWS, VPN, Radius platforms Emergency communication Broadcast communication Collaboration Expansion into managing non-people identities After FY17, expansion is dependent on resources and priorities.
Next Steps HarvardKey integration with Groups available in early March – Full Production Ongoing collaboration with Academic Technology Services to enable retirement of iSites Group Service Regular meetings with Work Group to review use cases and to plan for documentation and support processes Pilot use of API with additional HUIT teams in ATS, ITS Definition of service offerings with ITSM Continue outreach to peer institutions in Internet2
Appendix
Value Proposition Service Offerings Outcomes Benefits HarvardKey integration Authorization Reference Groups Automatically updated for accuracy Aligned with affiliations and orgs Access Control Turnkey authorization options for web applications via HarvardKey Reduction in risk of unauthorized access Mailing lists Emergency management Broadcast Communication Communication Proper alignment of messages with user populations Less time spent on ad hoc lists ITCRB request for Broadcast Communication Provisioning to Directories and Applications Collaboration Eliminate need for multiple versions of the same lists across tools Simplification of administration of file sharing Better user experience
Learning From Others Who Have Gone Before Us IAM team members have reviewed our technical architecture and design ideas with Internet2 community over past couple years. Key takeaways include Deploy group services as a hub service, to be used by other services Provide a single source of groups to many tools Use Grouper platform – the defacto tool in Higher Ed, which TIER is now updating Publish groups based on system of record; auto-update the data Use built-in Grouper functions to create groups from groups via “group math” via unions, or exclusion critieria Support ad hoc groups, created manually or via automation Extend access to delegated administrators through the Grouper UI Publish the groups to LDAP and AD to support access management
Reference Groups: Foundational Groups Designed as building blocks enabling selection of a population by roletype, organization and status. Locked down: only able to be modified by the group service Based on authoritative sources (e.g., IAM, Courses via Canvas) Aligned with the organization hierarchy used in HR Helps ensures continuity of access, since legacy authorization mechanisms are aligned to this definition today Support role sub-types where applicable, for example: Differentiate faculty from staff, students from a class participant Reference groups differ from Ad Hoc Custom Groups, that are created, manually, through delegated process, by systems or collaborators.
Benefit: Ability to use same group for multiple needs Efficient, Effective for Administrator & End User Department Administrator System Administrator Email List Wiki List Web Site Access Sharepoint Creates Reusable Group Creates Reusable Group AWS Access VPN Access Benefits to the Administrator Create the list once, and then reuse it Peace of mind that when team members leave Harvard, they will be dropped from the group Benefits to the Administrator Create the list once, and then reuse it Peace of mind that when team members leave Harvard, they will be dropped from the group Automate export of group to AWS to ensure proper permissions management Audit trail Security and access aligned Project Team Group: Benefits to the team members: Equal access to the resources Ability to communicate via a mailing list Privacy for their work Ability to share files easily