Identity Standard Proposal February 2014 Committee on Technology & Architecture Subcommittee on Identity and Access Management
Situation 2 Exchange service provides to 30,500 users across the UCSF enterprise Many separate systems have been consolidated including the Medical Center and School of Exchange currently receives for 140 distinct domains Some units adopted primary addresses when joining, but 73 domains still have new accounts provisioned with their original domain. Rules for assigning a new individual to the appropriate domain are inconsistent, and process is completely manual
Consequences of Current Situation 3 Delays the manual creation of new accounts Barrier to implementing automated processes for account provisioning Rollout of new services and integration with cloud service providers are more complicated and often delayed Movement of individuals between units results in change of address. This is increasingly problematic as cloud service adoption at UCSF grows
Target 4 A uniform address for all members of the UCSF community Continuous delivery of sent to all historical addresses in perpetuity Benefits Simpler experience for UCSF community Uniform, recognizable brand to patients, donors, colleagues, and recruits Fewer changes - move within organization does not change address Simpler account provisioning logic - faster turnaround and facilitates automation Single namespace more closely matches cloud service integration requirements
What is a Primary Address? Is the main address published within our directory service (Active Directory) Is the address that is displayed in the global address list (GAL) Is the ‘From:’ address on outgoing Is frequently used by cloud service providers as the most obvious identifier for account belonging to UCSF personnel 5
What is a Secondary Address? An alternate address published within our directory service An account can have more than one secondary address is accepted and processed normally for all secondary addresses in addition to the primary Every account that doesn’t as the primary has at least address as a secondary Over 1200 accounts have secondary addresses 6
Proposal 7 New individuals joining the UCSF community will receive a primary address –Alternate domain addresses will no longer be provisioned as a secondary for new accounts Existing UCSF individuals not as a primary: –Secondary address populated with their current address –Primary address set to format –UCSF Listserv memberships updated with new primary address –Directory systems (CLS, SIS, etc) updated –UCSF Box, and other cloud service accounts updated
User Impact 8 sent to prior address or new address will be delivered to a single mailbox – No Impact Loss of identity and ‘branding’ associated with domain suffixes on outgoing mail – Impact Variable Individuals may want to update business cards and other print collateral – Impact Low to Moderate Individuals external to UCSF may notice their address books have populated multiple entries for UCSF correspondents – Impact Low Individuals reassigned addresses like etc. as their primary address due to name collisions may be dissatisfied with the outcome – Impact Variable
User Impact 9 Custom inbox rules built manually from addresses rather than the global address list will need updating – Impact Low Users may forget that they used their previous address for registrations on external websites – Impact Variable Business processes that query Active Directory for addresses (sub- optimal choice, but may exist) will no longer work – Impact Unknown Ability to send to external Listservs that restrict input to validated addresses will be interrupted until Listserv account is updated with new address – Impact Moderate
Alternate Servers 10 There is no requirement that members of the UCSF community use the enterprise Exchange server A small number of units continue to operate independent servers Suggestion for provisioning / cloud integration for this population: –Create account as with other new hires –Existence of account will facilitate integrations that need address, even if function not utilized –Inform account owner that only address should be used for authenticating to campus-wide and integrated services
11 DomainAccounts ucsfmedicalcenter.org9381 anesthesia.ucsf.edu529 peds.ucsf.edu481 obgyn.ucsf.edu447 medsfgh.ucsf.edu416 medicine.ucsf.edu388 orthosurg.ucsf.edu282.. dentistry.ucsf.edu79.. ccrc.ucsf.edu1 chanoff.ucsf.edu1 ebinet.ucsf.edu1 clinlab.ucsfmedctr.org1 uap.ucsf.edu1 Alternate Domain Statistics
Visual Impact of Domain – Mac Mail 12 Example from Mac mail client of a message addressed to recipients in four unique domains. The domain identity of the recipients is not visible in the user interface
Visual Impact of Domain – Outlook on Windows 13 Same example using the Outlook client on a Windows computer
Visual Impact of Domain – Outlook Web Access on Windows 14 Same example with Outlook Web Access (OWA) in a Firefox browser window
Visual Impact of Domain – IOS 15 Corresponding example on an iPhone None of the clients surveyed displayed the recipient’s domain under normal operation
Recent Integration Challenges 16 UCSF Box –Box expected a single primary domain –Two UCSF staff members a month resolving complication, delaying the implementation Cisco Unified Communications (new phone solution) –Unable to build Uniform Resource Identifier (URI – analogous to internal phone number) from primary address because they require single domain –Ad hoc heuristics are in development to pick address from among multiple candidate secondary addresses
Recent Integration Challenges 17 DocuSign –Reached internal character limit processing list of UCSF domains during authentication process –Domains through ‘larc.ucsf.edu’ work, all domains after ‘legal.ucsf.edu’ fail –Issue still unresolved as of 1/31
UCSF Box Integration 18 Definition of ‘Your Company’ is almost comically complex
Approval Process 19 9/26/13 – Endorsed by CTA Identity and Access Management Subcommittee 12/12/13 – Endorsed by Committee on Technology and Architecture 12/13/13 – Endorsed by Committee on Business Technology 2/6/14 – Endorsed by IT Governance Steering Committee
Community Input to Date 20 Presented to School of Medicine Clinical Chairs distribution to School of Medicine MSO list Presented to IT-Forum Vetted with School of Nursing Leadership Vetted with School of Pharmacy Leadership -Vetting with School of Dentistry in progress -Vetting with Academic Senate in progress