Download presentation
Presentation is loading. Please wait.
Published bySummer Paullin Modified over 10 years ago
1
CASE STUDIES Indiana University University of California, Davis University of Maryland San Joaquin Delta College University of Arizona University of Washington 1
2
CASE STUDY: INDIANA UNIVERSITY
3
INDIANA UNIVERSITY Implemented Rice 1.0.1.1 in May 2010 Kuali Financial System - partial implementation – May 2010 Implementation of KIM includes a hybrid of data loading into KIM database tables and service overrides KIM provides the primary IdM services for many of our enterprise software applications 3
4
IDENTITY DATA Indiana University uses a tool from Microsoft called Identity Lifecycle Management (ILM) ILM aggregates identity data from various sources – HR, PeopleSoft, etc. It can then feed that data in close to real time to other systems At IU, Kuali Identity Management is one of those systems Built a web service that sits on top of KIM that implements CRUD operations for identity data 4
5
ILM-KIM ARCHITECTURE 5
6
PRINCIPAL ID AND PRINCIPAL NAME In KIM the Principal ID must be unique across the implementation At IU we are using our PeopleSoft “Employee ID” for both our principal and entity ids We are using the user’s “network id” for their principal name 6
7
HISTORICAL DATA IU has a large historical data set of users Many of these could have participated in workflow transactions as long as 7 years ago KIM has the “IdentityArchiveService” that can be used to retrieve historical entity data – A subset of the full entity data We pull this historical data into the designated KIM table from an external source when it is requested 7
8
GROUPS AND ACTIVE DIRECTORY IU has a large Microsoft Active Directory implementation Contains many, many groups that customers want to use for role assignment and routing We override the GroupService so that it pulls from both the KIM database and from ADS (via LDAP) We identify ADS groups by giving them an “ADS” namespace Generate group ID based on ADS group name 8
9
ADS – KIM GROUP REQUIREMENTS Should be able to use ADS groups in addition to the out-of-the-box KIM group store Groups must have a unique ID Groups are also uniquely identified by a combination of Namespace and Name Group membership can be nested
10
ADS GROUP INTEGRATION – IMPLEMENTATION ADS groups are assigned a namespace of “ADS” which allows the GroupService to determine how to load the Group ADS groups have an ID assigned to them consisting of “ADS” and the group name i.e. ADS:MyAdsGroupName
11
ADS GROUP INTEGRATION – GROUPSERVICE Override the GroupService so that it loads groups from both ADS (via LDAP) and the KIM database IF - id starts with “ADS” or namespace equals “ADS”, query ADS ELSE - delegate to reference implementation Various operations need to be customized including operations to load GroupInfo objects as well as checking Group membership Also customize the Group Lookup screen so that it can search for Groups in ADS
12
AUTHENTICATION Use a customized version of CAS Override the default AuthenticationService implementation Pulls authenticated principal name from our custom CAS filter which we use for Java applications 12
13
USER INTERFACES Person – isn’t used to maintain person data, but does permit role/group assignment Group – can be used to create and edit groups unless their namespace is “ADS” Accomplished using permissions Role –using out-of-the-box implementation 13
14
FUTURE PLANS Upgrade to Rice 1.0.3 – early 2011 Kuali Coeus 3.0 – coming July 2011 Kuali Financial System – full implementation – Q4 2012 Integrate Role assignment with our HR system at time of hire or position change Integrate KIM roles and permissions with our Decision Support and reporting environments Begin modeling more Roles at IU using KIM to facilitate authz and role-based routing 14
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.