When Account Management Is Not Enough Identity at RIT Matt Campbell Sr. Infrastructure Engineer

About RIT RIT is one of the nation’s top comprehensive universities and sets the national standard for career-oriented education. Located in suburban Rochester, N.Y., RIT is a private university that enrolls more than 15,500 students in its eight colleges. RIT is recognized for its programs in business, engineering, art and design, photography, science and mathematics, liberal arts, computing, and many other areas.

The Challenge Students, Faculty, and Staff university ID number was SSN No authoritative system needed since “everyone has one”. International students issued a fake number starting with 999 by the student records system.

What we had to work with: Account Management System Self-Help Clients

What We Needed AMS not standards based, proprietary protocol, limited PHP API. Interfaces with existing systems that needed University IDs (SR, HR) AMS was a real time system with no ability to have an offline update mode. Performance, adequate for interactive use, to slow for large batches that would be necessary.

Standards Based Transition

Subscription Model AMS sent all client requests to all modules. CLAWS utilizes a subscription model that sends only the XML documents that match the subscription for a module. Modules categorized into two types: –Real-time modules (blocking) –Pick-up modules (non-blocking)

Real-Time Modules Modules are subscribed only to documents that they care about. –Ex. ADDIDENTITY, MODIDENTITY Modules are delivered the document and the server waits until they respond. Good for modules that perform work the client cares about.

Pick-up Modules Modules can subscribe to updates and pick them up at their leisure. Useful for antiquated systems that can not effectively provide a web service. Modules that choose to not act in real time sacrifice the ability to return data to the original requestor. These modules require that we keep requests saved in a database until they pick them up. This has a side effect of being useful for debugging purposes.

Modular Is Handy

Duplicate Prevention Identities are “scored” based on how well they match new additions. If the score is above a certain threshold, the add is denied. There is a minimum score required to even attempt the addition. Allows the user to find identities even if they misspell part of an attribute. This method causes very few false positives, usually siblings and spouses.

Affiliation The Most Important Attribute All identities are required to have one or more affiliations. –Student, Alumni, Employee, etc. Any identity lacking an affiliation is purged from the system. Identity system security closely tied to affiliation.

Integration with Account Management Accounts previously linked to SSN or the fake SSN generated by the SR system. Now accounts are linked to the new University ID. Accounts must be linked to an identity with an affiliation that allows the account to exist. –Removal of an authorizing affiliation results in the removal of the account automatically. Using an identity’s affiliation allows for much more granular account level access restrictions.

Technical Challenges Duplicate prevention. Efficiency –Heavy user load –PSAT score file loads –Excessive amounts of data Security. Legacy mainframe application integration.

Other Issues Moving requirements target. Sample data provided during development came not even close to representing production data. Customers unable or unwilling to modify business processes that result in “bad” data. –As a result, a requirement was added for an override function to force the addition of an identity the system would reject. Data possessiveness, fix this first!

Open Source! CLAWS has been released under the GPL at claws.rit.edu Currently only available through subversion, but archives are planned. Very RIT centered at this time, but we are anxious to take patches and updates from other schools. Build environment is in it’s infancy, but is a definite start.

Questions? Get CLAWS at Matt Campbell Sr. Infrastructure Engineer