390 likes | 406 Views
Join Jon Giltner, Director of IT Architecture and Security at the University of Colorado, as he discusses the ongoing directory management and governance at the university. Learn about the background of the project, the challenges faced, and the strategies implemented. This workshop aims to share experiences and provide an open discussion and Q&A session.
E N D
Life After ImplementationOn-going Directory Management and GovernanceSharing Experiences Jon Giltner Director of IT Architecture and Security Information Technology Services University of Colorado at Boulder jon.giltner@colorado.edu
Agenda • CU Directory Project Background • Directory Governance • Directory Management • Open Discussion / Q & A CAMP Directory Workshop Feb 3-6, 2004
Agenda • CU Directory Project Background • Directory Governance • Directory Management • Open Discussion / Q & A CAMP Directory Workshop Feb 3-6, 2004
University of Colorado System www.cu.edu www.uccs.edu www.colorado.edu www.cudenver.edu www.uchsc.edu CAMP Directory Workshop Feb 3-6, 2004
University of Colorado System CU System Office • Four campus PeopleSoft HR and GL System • Four campus Student Information System (Mainframe Application) • Four campus Data Warehouse (Oracle DB) Each Campus • Central IT Department • IT Governance varies • Numerous departments with autonomous IT staffing – “voluntary” coordinated governance. CAMP Directory Workshop Feb 3-6, 2004
January 2000 – Launch of Directory Services Project Motivated By: • Strong ties to Internet2, and specifically the I2 Middleware Initiative • Applications needing LDAP services starting to appear on campus • Unsatisfactory existing on-line white pages • Data distribution from PS and SIS getting unmanageable • Convergent vision of senior IT managers (effective evangelism or maybe just astrological planetary alignment) Solidified By: President Hoffman’s Vision 2010 • Five Axioms: • A University Without Walls - enabling a multidisciplinary effort across all four CU campuses. • A Culture of Excellence - targeting areas for national prominence on each of the four campuses. • Increasing resources and using them wisely - building significant endowments for scholarships, chairs and professorships. • Diversity - bolstering diversity through aggressive recruitment and retention strategies for students, faculty and staff. • An integrated infrastructure - using technology to enhance the quality of services to CU constituents across the entire system, and to expand online degree programs. A Boulder campus initiative w/ cooperation from other campuses (esp. CU System) CAMP Directory Workshop Feb 3-6, 2004
CU Directory Services Project Project goals: • Trusted, authoritative source of data • Identity, data and relationship management • Usable by a variety of applications and services • Authentication services (LDAP AuthN via Kerb V pass-through module) • Foundation for campus-wide AuthN and AuthZ services Project commissioning statement: Establish a framework for deploying and maintaining general purpose directory services for the University of Colorado at Boulder within the context of the University-wide environment. CAMP Directory Workshop Feb 3-6, 2004
Champion Project Structure • Registrar • Mgr CU Benefits Svcs • Dir. of Housing • IT Architect • Director of HR • Asst. VP UMS • Dir. ITS • Dir. Enrollment Management • Dean of Libraries Political conduit. Sustains momentum. Provides detailed project work & conducts regular meetings Core Team Provides analysis, design, development, testing. Key decision-makers. Communication thru monthly meetings Technical Team Steering Team Big “Team” CAMP Directory Workshop Feb 3-6, 2004
November 2001 – Boulder Campus Directory Goes Live Success Factors • Decision that it is not a technical project – lead with policy and process issues and establish on-going directory governance. • Involvement from broad set of constituents • Leverage best practices and lessons learned from others (I2 MACE-Dir, The Burton Group). • Small initial implementation scope / Massive implication scope (see 1 & 2) Measures of Success • Technical & administrative silos engaged, not threatened. • Representatives from all hierarchies ask to learn more. • Community members ask to be involved. • Application owners ask to use directory. • Directory praises sung on the campus grapevine. Small Hammers: Directory Policy and Identity Management Policy CAMP Directory Workshop Feb 3-6, 2004
Project Timeline CAMP Directory Workshop Feb 3-6, 2004
Basic Directory Architecture Core Team Steering Team (SunONE Directory) 4-Campus Registry (Oracle DB) Campus SMEs Business Rules SIS HR CAMP Directory Workshop Feb 3-6, 2004
Other Boulder Campus Directories HR Registry MetaMerge Campus Directory SIS Sponsored Calendar Instance OS X Instance CAMP Directory Workshop Feb 3-6, 2004
HR fac/staff; empID SIS student; SID FIS faculty; SSN Uniquid accounts; unix ID IDcard photos; ISO Telecom phone locn phone # (OK, A Little Reality) • Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.) • Unique identifiers for each system • Blending together to build a cuEduPerson Sponsored Affliate; SSN? cuEduPerson uuid CAMP Directory Workshop Feb 3-6, 2004
CU Directory Project Summary • Boulder campus project with some 4-campus scope • Goal from outset was to be an authoritative source of identity data for a wide variety of applications • Steering team established to make hard decisions relating to use and manipulation of data • Managed to succeed without Jon CAMP Directory Workshop Feb 3-6, 2004
Agenda • CU Directory Project Background • Directory Governance • Directory Management • Open Discussion / Q & A CAMP Directory Workshop Feb 3-6, 2004
Directory Governance Scope Jon’s Postulate: Directory Governance = Enterprise Identity Management (At the Policy Level) CAMP Directory Workshop Feb 3-6, 2004
Project Steering Team Established early during implementation to address issues such as: • Data precedence / reconciliation • Affiliation (role) • Visibility of data beyond FERPA • Appropriate uses of data • Giving the project clout (example: incremental updates from PS and SIS) • Championing across University Challenge: Thinking bigger than “white pages” CAMP Directory Workshop Feb 3-6, 2004
Steering Team Member Criteria • Policy maker at the campus or University level AND / OR • Knowledge expert in how the University conducts business (non technical) CAMP Directory Workshop Feb 3-6, 2004
Issue: Affiliation Affiliation describes an individual’s relationship with the university. Affiliation is used for two primary purposes: • To determine whether services should be granted to the user (check performed via a directory-enabled system) • To determine what information should be displayed and/or made public for the individual associated with the entry. CAMP Directory Workshop Feb 3-6, 2004
More on Affiliation The primary factor for determining access entitlements are a person’s affiliations with the University. Affiliation (i.e. Role) is determined from a combination of directory attributes: • eduPersonAffiliation – Multi valued; Controlled Vocabulary • eduPersonPrimaryAffiliation – Single value; Controlled Vocabulary • cuEduPersonCampus • cuEduPersonHomeDepartment (faculty / staff) • cuEduPersonMajor (student) (also minor and class) • description – Multi valued; “predictable” values CAMP Directory Workshop Feb 3-6, 2004
Affiliation/Services Matrix CAMP Directory Workshop Feb 3-6, 2004
Issue: Directory Policy http://www.colorado.edu/its/directoryservices/documents/policy.html Establishes • Directory Governance ; • Official Data Sources (the information systems from which the Directory will extract its data, create entries, and update entries, and upon which it will base its reconciliation) ; • Directory Inclusion (categories of people who will be included in the CU-Boulder Directory) ; • Directory Use (privacy requirements; who may have authenticated access to the Directory; who may pull data from the directory and for what purposes; and who must use the Directory) CAMP Directory Workshop Feb 3-6, 2004
Policy: Mandatory Use Mandatory Directory UsageAll CU-Boulder campus-specific systems implemented after the advent of the Directory must be directory-enabled if affiliation-check, authorization or enterprise data is required by the newly implemented campus system. “Directory enablement” means using the Directory for determining affiliation, authentication, authorization, or for data reference. CAMP Directory Workshop Feb 3-6, 2004
Steering Becomes Governance Post-deployment Issues • Prioritization of new development (if needed) • Review data use requests and requests for new data (eg. Class photo rosters) • End-user (application) access to Registry database • But mostly: Identity Management CAMP Directory Workshop Feb 3-6, 2004
Identity Management Policy Establishes • Trusted sources of identity data ; • “Sponsored” affiliation type ; (Note: difference from “sponsored” identity) • Acceptable protocols for managing identity data ; • Triggers for removal of identity ; • Operational procedures related to identity CAMP Directory Workshop Feb 3-6, 2004
Identity Management Other Identity Management Issues Contemplated by the DGB: • “Local” vs. “Enterprise” identity data: application specific extensions to the directory • Groups, roles, and delegated administration • Services for expanded sets of affiliates: e.g. applicants and retired faculty • Non person identities CAMP Directory Workshop Feb 3-6, 2004
Governance: What’s Ahead More and Bigger Identity Management Issues: • Reversing the data flow: getting new or changed directory data back into source system • Large classes of potential service consumers who aren’t in source system: Alumni (vanity e-mail address), Former Students (transcript requests), Faculty/Staff Spouses (calendar viewing) • Better processes for removing/changing affiliation (Which can have a profound effect on access to services). • Multi-campus identities and federated management between campuses and external to the University CAMP Directory Workshop Feb 3-6, 2004
What We Would Do Differently A Mistake: • The DGB does not have any direct control over funding CAMP Directory Workshop Feb 3-6, 2004
Governance Summary • Early is good; Elevates important issues out of technical realm • Ensure authority to establish policy and generate action by including those who already have authority • Embrace Massive Scope of Identity Management CAMP Directory Workshop Feb 3-6, 2004
Agenda • CU Directory Project Background • Directory Governance • Directory Management • Open Discussion / Q & A CAMP Directory Workshop Feb 3-6, 2004
Management? Is it a product, a project, or a mature, operational service? • No opportunity to have controlled releases • No finite set of objectives • Minimal ability to create a routine “service fulfillment” process CAMP Directory Workshop Feb 3-6, 2004
Operations Monitoring for availability and performance Backups and replication Log file monitoring Deal with exceptions generated during various load processes (may require escalation) Upgrading and patching software and platform components Management Prioritization and oversight of directory related projects Primary interface to DGB Consulting with customers Policy compliance Data stewardship Communication and promotion Contribute to, but not ultimately accountable for, strategic positioning and architecture Management vs. Operations CAMP Directory Workshop Feb 3-6, 2004
Directory Management Pitfalls By nature, it becomes reactionary • Source systems or data subject to change due to drivers unrelated to the directory or identity management • New laws and regulations to comply with • Requests for new data or new uses of data come with twists and at a rate much faster than the DGB can properly address them • Multiple competing business drivers make prioritization difficult CAMP Directory Workshop Feb 3-6, 2004
The Solution: Pass the Buck • Use the DGB for prioritization when appropriate • Make it the duty of the DGB to resolve even tough issues in a timely manner • Integrate authN/authZ tools with delegated administration into directory services: e.g. commercial identity and access management software • The Directory is too flexible a framework: Build a Portal; or even two CAMP Directory Workshop Feb 3-6, 2004
Oh Yeah, and a Competent Manager Job requirements: • Ability to fully grasp complexities of the data and systems involved • Ability to influence DGB • Skilled project manager • Skilled customer manager • Willing to carry the weight of the world And try not to burden with a lot of operational details CAMP Directory Workshop Feb 3-6, 2004
Laundry List of Projects from our Directory Manager faculty welcome basket – rosters, course lists, key requests, ITS account requests, etc. ISO number included for business school integration self-update birthday message add physical location to dir directory-enable legacy applications – athletics ticketing faculty information system ASPupload mailing services iVote parking services housing norlin rec center wardenburg math mods applied math replace Metamerge sponsored entry – individual and batch entry direct update to AD directory-enable email for life directory-enable account (de)provisioning process on-going involvement: WebCal, WebCT, cuConnect, IFS, EFL, Account provisioning grace periods / deprovisioning multiple uuid programming – correct duplicate entries dir-enable chinook electronic reserves integrate UCD integrate CS, HSC employee privacy policy more robust directory logging and stats include departmental listings in directory develop archiving plan email / send mail system registration ? printed directory Management: What’s Ahead CAMP Directory Workshop Feb 3-6, 2004
What We Would Do Differently • Better separation of directory management and operations functions. Clearly defining role of Directory Manager. (We are in the process of fixing this) CAMP Directory Workshop Feb 3-6, 2004
Directory Management Summary • Management and Operations are different functions • Understand the importance of having a good directory manager and keeping the DGB engaged • Directory management issues are often identity management issues. Address the source of the issue. CAMP Directory Workshop Feb 3-6, 2004
Agenda • CU Directory Project Background • Directory Governance • Directory Management • Open Discussion / Q & A CAMP Directory Workshop Feb 3-6, 2004