Download
1 / 47
E N D
1. 1 Good morning!
My name is George Bryan and I am the (hold on - look at badge) project lead for the Active Directory Service. I am accompanied by Mike Kanofsky who is the Technology Expert for AD. The Active Directory Service at UF is affectionately known as UFAD (the Open-Systems group I am sure has other names for us. Just kidding!) and is under the auspices of the Bridges project at UF. Keep in mind, Mike is the Expert, it says so in his title, so if you have a question do not hesitate to ask HIM. Since there is no Expert in my title I have an excuse should I not be able to answer your question adequately.
We are honored to be here today and will be presenting an Account provisioning solution using MIIS 2003. We will be covering design elements that went into our use of MIIS as well as other pertinent topics which influenced our design and use of the product. It it our intention to present things we found interesting and would be of interest to those attending.
We understand there are a myriad of account provisioning solutions and I am sure all of them are well suited. We think what we have is pretty special and are pleased to present our findings today.
As you know, There are many paths to the top of the mount Rainier but once the top is reached the view is the same. Unfortunately Mike and I are still trying to reach the top. My hats off to those of you who have made it. If you could be so kind as to send a little help back for those of us still struggling.
Good morning!
My name is George Bryan and I am the (hold on - look at badge) project lead for the Active Directory Service. I am accompanied by Mike Kanofsky who is the Technology Expert for AD. The Active Directory Service at UF is affectionately known as UFAD (the Open-Systems group I am sure has other names for us. Just kidding!) and is under the auspices of the Bridges project at UF. Keep in mind, Mike is the Expert, it says so in his title, so if you have a question do not hesitate to ask HIM. Since there is no Expert in my title I have an excuse should I not be able to answer your question adequately.
We are honored to be here today and will be presenting an Account provisioning solution using MIIS 2003. We will be covering design elements that went into our use of MIIS as well as other pertinent topics which influenced our design and use of the product. It it our intention to present things we found interesting and would be of interest to those attending.
We understand there are a myriad of account provisioning solutions and I am sure all of them are well suited. We think what we have is pretty special and are pleased to present our findings today.
As you know, There are many paths to the top of the mount Rainier but once the top is reached the view is the same. Unfortunately Mike and I are still trying to reach the top. My hats off to those of you who have made it. If you could be so kind as to send a little help back for those of us still struggling.
2. 2 Design Elements Architecture
Account Management
Network Managed By
Organizational Unit Structure
Auto-Groups
Password Management There are many pertinent design elements that went into the implementation of MIIS for UF.
We list them in general here and we will explain them fully in the following slides.
Note the two fellows on the left they bear no resemblance to Mike and I since they appear to know exactly what they are doing.
As Mike constantly reminds me it would be a lot better if we just knew what we were doing.
My response is always where's the fun in that.
You decide.There are many pertinent design elements that went into the implementation of MIIS for UF.
We list them in general here and we will explain them fully in the following slides.
Note the two fellows on the left they bear no resemblance to Mike and I since they appear to know exactly what they are doing.
As Mike constantly reminds me it would be a lot better if we just knew what we were doing.
My response is always where's the fun in that.
You decide.
3. 3 46,000 undergrads
15,000 faculty / staff
4. 4 Architecture
Account provisioning design is based on Windows 2003 Native Mode configured for Single Forest and Single Domain
User accounts and groups are provisioned using authoritative data sources (PeopleSoft, Campus Registry, and Registrar)
Schema extensions for custom attributes and permissions were added to Active Directory and the MIIS Metaverse
MS SQL 2000 provides a staging area for all data sources and single authoritative data source for MIIS
MIIS performs the role of broker for all user accounts.
Custom .NET applications are used to maintain Auto-Groups. Design Elements When I first arrived at UF I heard the term b
broker and know I know what that means.
We are very pleased with the flexibility we obtained by using SQL. The environment is very flexible.When I first arrived at UF I heard the term b
broker and know I know what that means.
We are very pleased with the flexibility we obtained by using SQL. The environment is very flexible.
5. 5 Design Elements Account Management
All faculty, staff and students are represented in Active Directory.
Accounts are uniquely identified by their UFID (employeeID)
All accounts are attributable to persons with the exception of authorized management and service accounts
Accounts are Single credential for web, PeopleSoft and LAN
Account objects are placed into Active Directory according to their Network Managed By attribute
Source of account management data is Campus Registry (DB2).
Types of account management transactions include create, delete, update, disable and enable
Account transactions are processed every 15 minutes
Account management is global, rights management is local
6. 6 Design Elements Network Managed By
Network Managed By attribute controls users Organizational Unit
Initially Network Managed By is set to users Home department according to the HR data in PeopleSoft
Enables a users account to be managed by a department other than their Home department
Dual appointments (users in more than one differing departments) must be mitigated by unit administrators of those departments. The CIO has final authority in case of discrepancy
Security Groups can be used as an alternative to Network Managed By for managing user objects
Changes to the Network Managed By attribute are limited to Directory Coordinators Network managed by is a misnomer. It should be USER managed by
but thats what you get when a committed starts naming stuff for you!Network managed by is a misnomer. It should be USER managed by
but thats what you get when a committed starts naming stuff for you!
7. 7 Design Elements
8. 8 Design Elements Organizational Unit Structure
Based on DepartmentID from HR tree-node data from PeopleSoft
There are provisions for colleges/departments to customize the HR structure if necessary to conform to IT structure
Edits to the HR structure must be approved at college level
Types of edits are:
Custom Names: Shorter names to make OUs more identifiable.
Pruning Levels: Compress OU levels to facilitate administration.
Custom OUs: Create a placeholder OU to hold other units.
Custom Parents: Units not directly under parent unit structure.
Redirect: Redirect users into a specified OU Story of the short names by HR.
Story of the short names by HR.
9. 9 Design Elements
10. 10 Design Elements Auto-Groups
Unit Auto-Groups
Based on Organizational Unit membership
Student Course Auto-Groups based on student course data
Permissions Assigned according to FERPA requirements
Members tab on course available to unit administrators and faculty only
Member of tab on student object available to unit administrators and faculty only
Read Group Membership security group created to secure these attributes
Administrators and Faculty held to special trust agreement
Updated once daily from Student Warehouse (MS SQL 2000)
Custom .NET applications used to create and manage Auto-Groups.
11. 11 Design Elements
12. 12 Design Elements
13. 13 Design Elements Securing Student Auto-Groups
Changes to Built-in Groups:
Remove Authenticated Users from Pre-Windows 2000 Compatible Access
For OU containing Student Auto-Groups:
Add a DENY for Domain Users for Read Member for Group objects
Add Authenticated Users Read permissions for This object and all child objects
*note advanced permissions will look like:
Grant List Contents
Grant Read All Properties
Grant Read All Permissions
For each group in the Student Course Auto-Groups OU
Remove Read All Properties from Authenticated Users
Remove Read All Properties From Self
Add Read permissions for Read Group Members (users with delegated authority to read group membership)
User OU permissions
Add Read permissions for Read Group Members for This object and all child objects
14. 14 Design Elements Securing Student Auto-Groups
15. 15 Design Elements Securing Student Auto-Groups
16. 16 Design Elements Securing Student Auto-Groups
17. 17 Design Elements Securing Student Auto-Groups
18. 18 Design Elements Securing Student Auto-Groups
19. 19 Design Elements Password management policy
Password management policy includes five security roles and is enforced using Single Domain
Schema extension (GLPwdExpired) for password management
Password Expiration notification script
Passwords are managed by UF Bridges according to the UF password policy
Password changes are accomplished using LDAPS from middleware maintained currently by Academic Technologies. This system will be replaced in Q4 of this year with a web-services component we will maintain
20. 20 MIIS is a State-Based system.
State-Based systems do not expect to be specifically notified when their source data changes. Instead, they rely on knowledge of the state of data before and after the change, in order to infer that a change has taken place.
MIIS Components
21. 21 MIIS makes use of Holograms.
MIIS achieves its knowledge of data changes by the storage of a hologram which represents the current view of the data stored in the Connected Directory (CD).
During a subsequent check of the data in the connected directory, the data in the CD is read, and compared with the hologram. If any differences are detected between the two (for example, the values for the Job Title attribute do not match), a change is inferred, and the change is passed to the MIIS 2003 Sync Engine to be propagated into the Metaverse and to other connected directories.
MIIS Components
22. 22 MIIS Components State-Based Versus Transaction Based Systems
State-based systems expend more resources in the reading of data from the CD than do event-based systems, but benefit from the absence of a requirement for laborious management of change messages.
In addition, they simply require the ability to read from (and perhaps write to) the connected systems no agents are required at the CD systems to send and receive the change messages.
23. 23 MIIS Components Metaverse
The metaverse (MV) is a set of tables within MIIS 2003 that contain the integrated (joined) identity information from multiple connected sources. All identity information about a specific person or object, which is stored in multiple connected sources, is synthesized into a single entry in the metaverse.
Connector Space
The connector space is a storage area, or staging are, that is used by management agents to move data into and out of a connected data source. Each connected data source has its own logical area in the connector space, which is managed by its corresponding management agent. The connector space is essentially a mirror of the related connected data source, with each object in the connected data source having a corresponding entry in the connector space. The connector space does not contain the connected directory object itself, but a subset of the objects attributes, as defined by the management agent.
Connected Data Sources
A connected data source is a directory, database, or, other data repository tat contains identity data to be integrated with the Metadirectory. Connected data sources can be enterprise directories, HR Databases, or data in flat files, such as LDIF, XML or delimited text.
Management Agents
A management agent links a specific connected data source to the metadirectory. The management agent is responsible for moving data from the connected data source and the metadirectory. When data in the Metadirectory is modified (including object addition and deletions), the management agent can also export the changes out to the connected data source to keep the connected data source synchronized with the Metadirectory. Generally, there is at least one management agent for each connected directory.Metaverse
The metaverse (MV) is a set of tables within MIIS 2003 that contain the integrated (joined) identity information from multiple connected sources. All identity information about a specific person or object, which is stored in multiple connected sources, is synthesized into a single entry in the metaverse.
Connector Space
The connector space is a storage area, or staging are, that is used by management agents to move data into and out of a connected data source. Each connected data source has its own logical area in the connector space, which is managed by its corresponding management agent. The connector space is essentially a mirror of the related connected data source, with each object in the connected data source having a corresponding entry in the connector space. The connector space does not contain the connected directory object itself, but a subset of the objects attributes, as defined by the management agent.
Connected Data Sources
A connected data source is a directory, database, or, other data repository tat contains identity data to be integrated with the Metadirectory. Connected data sources can be enterprise directories, HR Databases, or data in flat files, such as LDIF, XML or delimited text.
Management Agents
A management agent links a specific connected data source to the metadirectory. The management agent is responsible for moving data from the connected data source and the metadirectory. When data in the Metadirectory is modified (including object addition and deletions), the management agent can also export the changes out to the connected data source to keep the connected data source synchronized with the Metadirectory. Generally, there is at least one management agent for each connected directory.
24. 24 Data Flow
