1. University of Michigan MCommunity Project Liz Salley (salley@umich.edu) Product Manager, Michigan Administrative Information Services Luke Tracy (ltracy@umich.edu) MCommunity Co-Technical Lead, Information Technology Central Services http://www.itcs.umich.edu/mcommunity/ 1

2. Project Overview Who’s in, who’s out. MCommunity will allow the University to know who is and is not a member of the U-M community so that central University offices, departments, schools, colleges, and campuses can grant and remove access to online resources as needed and appropriate. Managed data for managed access. It will provide identity management, roles management, data sharing and reconciliation, and directory services for U-M. It will bring together data from multiple institutional sources and will organize, present, and secure the data in a way that is particularly well suited to managing access to University resources. A collaborative effort. Planning for, and development of, MCommunity is a collaborative effort across U-M IT units and across the many units that will use the new system. 2

3. Project Overview One-stop directory shop. MCommunity will provide units and end users with a "one-stop directory shop" for provisioning of services, access control, and directory-enabled applications. Robust tools. It will provide a robust set of tools that include/enable: –Identity and life-cycle management –Real-time provisioning of central IT resources –Real-time provisioning of local IT resources –Clearly defined and documented programming interfaces –Auditing system –Integrated workflow 3

4. MCommunity Project Architecture 4

5. Live data feed from Human Resources and main campus Student System of Record. Nightly updates from remote campus Student Systems of Record. Nightly updates from Development/Alumni System of Record. New Sponsor System for creating and managing identities for sponsored affiliates, people who are affiliated with the University but who do not appear in any of the official University Systems of Record. –Sponsored affiliates include, for example, conference attendees, contractors, incoming faculty who need access to U-M resources before the hiring process is complete, and others. –Support for both strong and weak identities. All person data from above systems fed into a secure person registry. 5

6. MCommunity Project Architecture Inside the person registry. Real-time identity matching and reconciliation, institutional data precedence rules, data normalization, regulatory privacy policy, and identity lifecycle processing occurs in the person registry. Exception handling. Workflow system is utilized for exception handling. In real time. Distilled identities are populated and maintained in the directory in real-time. In the directory. Institutional Roles, User Groups, Departmental Roles, and departmental attributes exist in the directory. One stop for IT provisioning. Directory functions as the one-stop directory shop for IT provisioning. 6

7. MCommunity Project Architecture Real-time bi-directional provisioning tools facilitate central and departmental IT provisioning. Full LDAP access provided through a replica of the directory to facilitate business-rule verification prior to committal to directory. All components of MCommunity are instrumented for central auditing and logging, enabling event correlation and incident response. 7

8. MCommunity 2009 Timeline Early 2009 The new MCommunity online directory will be made available Programmatic access to the Sponsor System LDAP access to MCommunity for U-M system administrators Uniqname self-registration for sponsored affiliates Mid 2009 MCommunity departmental roles management Late 2009 ITCS will begin to use MCommunity to provision its Basic Computing Package http://www.itd.umich.edu/mcommunity/roadmap/ 8

9. MCommunity 2009 Timeline Early 2009 (con’t) The new MCommunity online directory will be made available. For most members of the U-M community, this will be the visible debut of MCommunity. There will be changes in how people look up people and group entries, how they modify their own entries, and how they create and manage groups. There will also be changes in what information is available to the general public and to members of the University community. The U-M Online Directory will remain available behind the scenes for some time so that departments can transition their systems to access MCommunity instead. 9

10. MCommunity 2009 Timeline Early 2009 (con’t) Programmatic access to the Sponsor System will allow units to begin to transition their applications that interact with uniqname now to working with MCommunity. This access will likely be provided via a consumable web service. Command-line access will also be provided. LDAP access to MCommunity will be made available to U-M system administrators. 10

11. MCommunity 2009 Timeline Early 2009 (con’t) Uniqname self-registration for sponsored affiliates will be added to the Sponsor System. This will allow sponsored individuals to select a uniqname and password themselves via a web interface. This will be similar to the uniqname self-registration process already available to new staff, new Ann Arbor students, and alumni. Minor changes to the uniqname self-registration process for staff and students may be required. 11

12. MCommunity 2009 Timeline Mid 2009 MCommunity will introduce a tool that departments can use for departmental role management in MCommunity. Late 2009 ITCS will begin to use MCommunity to provision its Basic Computing Package, as well as some other campus services. After that, MCommunity will offer a way for departments to do their own service provisioning through MCommunity. 12

13. Questions? 13