Life After Implementation On-going Directory Management and Governance Sharing Experiences Jon Giltner Director of IT Architecture and Security Information Technology Services University of Colorado at Boulder
CAMP Directory Workshop Feb 3-6, 2004 Agenda CU Directory Project Background Directory Governance Directory Management Open Discussion / Q & A
CAMP Directory Workshop Feb 3-6, 2004 Agenda CU Directory Project Background Directory Governance Directory Management Open Discussion / Q & A
CAMP Directory Workshop Feb 3-6, 2004 University of Colorado System
CAMP Directory Workshop Feb 3-6, 2004 University of Colorado System CU System Office –Four campus PeopleSoft HR and GL System –Four campus Student Information System (Mainframe Application) –Four campus Data Warehouse (Oracle DB) Each Campus –Central IT Department –IT Governance varies –Numerous departments with autonomous IT staffing – “voluntary” coordinated governance.
CAMP Directory Workshop Feb 3-6, 2004 January 2000 – Launch of Directory Services Project Motivated By: –Strong ties to Internet2, and specifically the I2 Middleware Initiative –Applications needing LDAP services starting to appear on campus –Unsatisfactory existing on-line white pages –Data distribution from PS and SIS getting unmanageable –Convergent vision of senior IT managers (effective evangelism or maybe just astrological planetary alignment) Solidified By: President Hoffman’s Vision 2010 –Five Axioms: A University Without Walls - enabling a multidisciplinary effort across all four CU campuses. A Culture of Excellence - targeting areas for national prominence on each of the four campuses. Increasing resources and using them wisely - building significant endowments for scholarships, chairs and professorships. Diversity - bolstering diversity through aggressive recruitment and retention strategies for students, faculty and staff. An integrated infrastructure - using technology to enhance the quality of services to CU constituents across the entire system, and to expand online degree programs. A Boulder campus initiative w/ cooperation from other campuses (esp. CU System)
CAMP Directory Workshop Feb 3-6, 2004 CU Directory Services Project Project goals: –Trusted, authoritative source of data –Identity, data and relationship management –Usable by a variety of applications and services –Authentication services (LDAP AuthN via Kerb V pass-through module) –Foundation for campus-wide AuthN and AuthZ services Project commissioning statement: Establish a framework for deploying and maintaining general purpose directory services for the University of Colorado at Boulder within the context of the University-wide environment.
CAMP Directory Workshop Feb 3-6, 2004 Project Structure Big “Team” Champion Political conduit. Sustains momentum. Steering Team Key decision-makers. Communication thru monthly meetings Technical Team Provides analysis, design, development, testing. Core Team Provides detailed project work & conducts regular meetings Registrar Mgr CU Benefits Svcs Dir. of Housing IT Architect Director of HR Asst. VP UMS Dir. ITS Dir. Enrollment Management Dean of Libraries
CAMP Directory Workshop Feb 3-6, 2004 November 2001 – Boulder Campus Directory Goes Live Success Factors 1.Decision that it is not a technical project – lead with policy and process issues and establish on-going directory governance. 2.Involvement from broad set of constituents 3.Leverage best practices and lessons learned from others (I2 MACE-Dir, The Burton Group). 4.Small initial implementation scope / Massive implication scope (see 1 & 2) Measures of Success 1.Technical & administrative silos engaged, not threatened. 2.Representatives from all hierarchies ask to learn more. 3.Community members ask to be involved. 4.Application owners ask to use directory. 5.Directory praises sung on the campus grapevine. Small Hammers: Directory Policy and Identity Management Policy
CAMP Directory Workshop Feb 3-6, 2004 Project Timeline
CAMP Directory Workshop Feb 3-6, 2004 Basic Directory Architecture Core Team Steering Team Campus SMEs Business Rules SIS HR 4-Campus Registry (Oracle DB) (SunONE Directory)
CAMP Directory Workshop Feb 3-6, 2004 Other Boulder Campus Directories Registry HR SIS Sponsored MetaMerge Campus Directory Calendar Instance OS X Instance
CAMP Directory Workshop Feb 3-6, 2004 (OK, A Little Reality) Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.) Unique identifiers for each system Blending together to build a cuEduPerson HR fac/staff; empID SIS student; SID FIS faculty; SSN Uniquid accounts; unix ID IDcard photos; ISO Telecom phone locn phone # cuEduPerson uuid Sponsored Affliate; SSN?
CAMP Directory Workshop Feb 3-6, 2004 CU Directory Project Summary Boulder campus project with some 4- campus scope Goal from outset was to be an authoritative source of identity data for a wide variety of applications Steering team established to make hard decisions relating to use and manipulation of data Managed to succeed without Jon
CAMP Directory Workshop Feb 3-6, 2004 Agenda CU Directory Project Background Directory Governance Directory Management Open Discussion / Q & A
CAMP Directory Workshop Feb 3-6, 2004 Directory Governance Scope Jon’s Postulate: Directory Governance = Enterprise Identity Management (At the Policy Level)
CAMP Directory Workshop Feb 3-6, 2004 Project Steering Team Established early during implementation to address issues such as: –Data precedence / reconciliation –Affiliation (role) –Visibility of data beyond FERPA –Appropriate uses of data –Giving the project clout (example: incremental updates from PS and SIS) –Championing across University Challenge: Thinking bigger than “white pages”
CAMP Directory Workshop Feb 3-6, 2004 Steering Team Member Criteria Policy maker at the campus or University level AND / OR Knowledge expert in how the University conducts business (non technical)
CAMP Directory Workshop Feb 3-6, 2004 Issue: Affiliation Affiliation describes an individual’s relationship with the university. Affiliation is used for two primary purposes: To determine whether services should be granted to the user (check performed via a directory- enabled system) To determine what information should be displayed and/or made public for the individual associated with the entry. Affiliation DISPLAY /QUERY Admitted Student Confirmed Student Parent? Student Staff Faculty Student Employee Retiree Employee Spouse Alum Sponsored vendor? contractor? visiting faculty? Directory-only Conference Attendee SERVICE
CAMP Directory Workshop Feb 3-6, 2004 More on Affiliation The primary factor for determining access entitlements are a person’s affiliations with the University. Affiliation (i.e. Role) is determined from a combination of directory attributes: eduPersonAffiliation – Multi valued; Controlled Vocabulary eduPersonPrimaryAffiliation – Single value; Controlled Vocabulary cuEduPersonCampus cuEduPersonHomeDepartment (faculty / staff) cuEduPersonMajor (student) (also minor and class) description – Multi valued; “predictable” values
CAMP Directory Workshop Feb 3-6, 2004 Affiliation/Services Matrix dir list idkeylabADmodemdhcpWeb host acctememolibraryidcardRTDrecctrotherspecial conditions ContEd noncredit[1][1] no no[2][2]no no? no yes[3][3]no[4][4]no[5][5]yes PLUS; web ct[6][6] current enrollment campus ministries no yes/noyes/ no yes/no yes/ no yesno special id card clubs/orgs[7][7]no yes/noyes/ no yes/no yes/ no yes ucsu-reg if stdent org. Expire date conference attendee[8][8] no yes/noyes/ no yes/no [9] [9] yes/ no yes/no no yesyes[10][10]noyes web CT, wshc short term service vendor/contractorno yes/noyes/ no yes/no yes/ no yes/no no yes/no (special) no svcs vary by ven.; expire per vendor. CU Agency list[11][11] yes/ no yes/no yes/ no yes/no noyes/noyes/ no yes/nono yes/no alumnino (addr) no yes[12][12]no yes[13][13]PLUS Foundation Staffyesno yes noyes
CAMP Directory Workshop Feb 3-6, 2004 Issue: Directory Policy Establishes –Directory Governance ; –Official Data Sources (the information systems from which the Directory will extract its data, create entries, and update entries, and upon which it will base its reconciliation) ; –Directory Inclusion (categories of people who will be included in the CU- Boulder Directory) ; –Directory Use (privacy requirements; who may have authenticated access to the Directory; who may pull data from the directory and for what purposes; and who must use the Directory)
CAMP Directory Workshop Feb 3-6, 2004 Policy: Mandatory Use Mandatory Directory Usage All CU-Boulder campus-specific systems implemented after the advent of the Directory must be directory- enabled if affiliation-check, authorization or enterprise data is required by the newly implemented campus system. “Directory enablement” means using the Directory for determining affiliation, authentication, authorization, or for data reference.
CAMP Directory Workshop Feb 3-6, 2004 Steering Becomes Governance Post-deployment Issues –Prioritization of new development (if needed) –Review data use requests and requests for new data (eg. Class photo rosters) –End-user (application) access to Registry database –But mostly: Identity Management
CAMP Directory Workshop Feb 3-6, 2004 Identity Management Policy Establishes –Trusted sources of identity data ; –“Sponsored” affiliation type ; (Note: difference from “sponsored” identity) –Acceptable protocols for managing identity data ; –Triggers for removal of identity ; –Operational procedures related to identity
CAMP Directory Workshop Feb 3-6, 2004 Identity Management Other Identity Management Issues Contemplated by the DGB: –“Local” vs. “Enterprise” identity data: application specific extensions to the directory –Groups, roles, and delegated administration –Services for expanded sets of affiliates: e.g. applicants and retired faculty –Non person identities
CAMP Directory Workshop Feb 3-6, 2004 Governance: What’s Ahead More and Bigger Identity Management Issues: –Reversing the data flow: getting new or changed directory data back into source system –Large classes of potential service consumers who aren’t in source system: Alumni (vanity address), Former Students (transcript requests), Faculty/Staff Spouses (calendar viewing) –Better processes for removing/changing affiliation (Which can have a profound effect on access to services). –Multi-campus identities and federated management between campuses and external to the University
CAMP Directory Workshop Feb 3-6, 2004 What We Would Do Differently A Mistake: –The DGB does not have any direct control over funding
CAMP Directory Workshop Feb 3-6, 2004 Governance Summary Early is good; Elevates important issues out of technical realm Ensure authority to establish policy and generate action by including those who already have authority Embrace Massive Scope of Identity Management
CAMP Directory Workshop Feb 3-6, 2004 Agenda CU Directory Project Background Directory Governance Directory Management Open Discussion / Q & A
CAMP Directory Workshop Feb 3-6, 2004 Management? Is it a product, a project, or a mature, operational service? –No opportunity to have controlled releases –No finite set of objectives –Minimal ability to create a routine “service fulfillment” process
CAMP Directory Workshop Feb 3-6, 2004 Management vs. Operations Operations –Monitoring for availability and performance –Backups and replication –Log file monitoring –Deal with exceptions generated during various load processes (may require escalation) –Upgrading and patching software and platform components Management –Prioritization and oversight of directory related projects –Primary interface to DGB –Consulting with customers –Policy compliance –Data stewardship –Communication and promotion –Contribute to, but not ultimately accountable for, strategic positioning and architecture
CAMP Directory Workshop Feb 3-6, 2004 Directory Management Pitfalls By nature, it becomes reactionary –Source systems or data subject to change due to drivers unrelated to the directory or identity management –New laws and regulations to comply with –Requests for new data or new uses of data come with twists and at a rate much faster than the DGB can properly address them –Multiple competing business drivers make prioritization difficult
CAMP Directory Workshop Feb 3-6, 2004 The Solution: Pass the Buck Use the DGB for prioritization when appropriate Make it the duty of the DGB to resolve even tough issues in a timely manner Integrate authN/authZ tools with delegated administration into directory services: e.g. commercial identity and access management software The Directory is too flexible a framework: Build a Portal; or even two
CAMP Directory Workshop Feb 3-6, 2004 Oh Yeah, and a Competent Manager Job requirements: –Ability to fully grasp complexities of the data and systems involved –Ability to influence DGB –Skilled project manager –Skilled customer manager –Willing to carry the weight of the world And try not to burden with a lot of operational details
CAMP Directory Workshop Feb 3-6, 2004 Management: What’s Ahead Laundry List of Projects from our Directory Manager faculty welcome basket – rosters, course lists, key requests, ITS account requests, etc. ISO number included for business school integration self-update birthday message add physical location to dir directory-enable legacy applications – –athletics ticketing –faculty information system –ASPupload –mailing services –iVote –parking services –housing –norlin –rec center –wardenburg –math mods –applied math replace Metamerge sponsored entry – individual and batch entry direct update to AD directory-enable for life directory-enable account (de)provisioning process on-going involvement: WebCal, WebCT, cuConnect, IFS, EFL, Account provisioning grace periods / deprovisioning multiple uuid programming – correct duplicate entries dir-enable chinook electronic reserves integrate UCD integrate CS, HSC employee privacy policy more robust directory logging and stats include departmental listings in directory develop archiving plan / send mail system registration ? printed directory
CAMP Directory Workshop Feb 3-6, 2004 What We Would Do Differently Better separation of directory management and operations functions. Clearly defining role of Directory Manager. (We are in the process of fixing this)
CAMP Directory Workshop Feb 3-6, 2004 Directory Management Summary Management and Operations are different functions Understand the importance of having a good directory manager and keeping the DGB engaged Directory management issues are often identity management issues. Address the source of the issue.
CAMP Directory Workshop Feb 3-6, 2004 Agenda CU Directory Project Background Directory Governance Directory Management Open Discussion / Q & A