Presentation is loading. Please wait.

Presentation is loading. Please wait.

Life After Implementation On-going Directory Management and Governance Sharing Experiences Jon Giltner Director of IT Architecture and Security Information.

Published byDaisy Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "Life After Implementation On-going Directory Management and Governance Sharing Experiences Jon Giltner Director of IT Architecture and Security Information."— Presentation transcript:

1 Life After Implementation On-going Directory Management and Governance Sharing Experiences Jon Giltner Director of IT Architecture and Security Information Technology Services University of Colorado at Boulder jon.giltner@colorado.edu

2 CAMP Directory Workshop Feb 3-6, 2004 Agenda  CU Directory Project Background  Directory Governance  Directory Management  Open Discussion / Q & A

3 CAMP Directory Workshop Feb 3-6, 2004 Agenda  CU Directory Project Background  Directory Governance  Directory Management  Open Discussion / Q & A

4 CAMP Directory Workshop Feb 3-6, 2004 University of Colorado System www.cu.edu www.colorado.edu www.cudenver.edu www.uccs.edu www.uchsc.edu

5 CAMP Directory Workshop Feb 3-6, 2004 University of Colorado System CU System Office –Four campus PeopleSoft HR and GL System –Four campus Student Information System (Mainframe Application) –Four campus Data Warehouse (Oracle DB) Each Campus –Central IT Department –IT Governance varies –Numerous departments with autonomous IT staffing – “voluntary” coordinated governance.

6 CAMP Directory Workshop Feb 3-6, 2004 January 2000 – Launch of Directory Services Project Motivated By: –Strong ties to Internet2, and specifically the I2 Middleware Initiative –Applications needing LDAP services starting to appear on campus –Unsatisfactory existing on-line white pages –Data distribution from PS and SIS getting unmanageable –Convergent vision of senior IT managers (effective evangelism or maybe just astrological planetary alignment) Solidified By: President Hoffman’s Vision 2010 –Five Axioms:  A University Without Walls - enabling a multidisciplinary effort across all four CU campuses.  A Culture of Excellence - targeting areas for national prominence on each of the four campuses.  Increasing resources and using them wisely - building significant endowments for scholarships, chairs and professorships.  Diversity - bolstering diversity through aggressive recruitment and retention strategies for students, faculty and staff.  An integrated infrastructure - using technology to enhance the quality of services to CU constituents across the entire system, and to expand online degree programs. A Boulder campus initiative w/ cooperation from other campuses (esp. CU System)

7 CAMP Directory Workshop Feb 3-6, 2004 CU Directory Services Project Project goals: –Trusted, authoritative source of data –Identity, data and relationship management –Usable by a variety of applications and services –Authentication services (LDAP AuthN via Kerb V pass-through module) –Foundation for campus-wide AuthN and AuthZ services Project commissioning statement: Establish a framework for deploying and maintaining general purpose directory services for the University of Colorado at Boulder within the context of the University-wide environment.

8 CAMP Directory Workshop Feb 3-6, 2004 Project Structure Big “Team” Champion Political conduit. Sustains momentum. Steering Team Key decision-makers. Communication thru monthly meetings Technical Team Provides analysis, design, development, testing. Core Team Provides detailed project work & conducts regular meetings Registrar Mgr CU Benefits Svcs Dir. of Housing IT Architect Director of HR Asst. VP UMS Dir. ITS Dir. Enrollment Management Dean of Libraries

9 CAMP Directory Workshop Feb 3-6, 2004 November 2001 – Boulder Campus Directory Goes Live Success Factors 1.Decision that it is not a technical project – lead with policy and process issues and establish on-going directory governance. 2.Involvement from broad set of constituents 3.Leverage best practices and lessons learned from others (I2 MACE-Dir, The Burton Group). 4.Small initial implementation scope / Massive implication scope (see 1 & 2) Measures of Success 1.Technical & administrative silos engaged, not threatened. 2.Representatives from all hierarchies ask to learn more. 3.Community members ask to be involved. 4.Application owners ask to use directory. 5.Directory praises sung on the campus grapevine. Small Hammers: Directory Policy and Identity Management Policy

10 CAMP Directory Workshop Feb 3-6, 2004 Project Timeline

11 CAMP Directory Workshop Feb 3-6, 2004 Basic Directory Architecture Core Team Steering Team Campus SMEs Business Rules SIS HR 4-Campus Registry (Oracle DB) (SunONE Directory)

12 CAMP Directory Workshop Feb 3-6, 2004 Other Boulder Campus Directories Registry HR SIS Sponsored MetaMerge Campus Directory Calendar Instance OS X Instance

13 CAMP Directory Workshop Feb 3-6, 2004 (OK, A Little Reality)  Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.)  Unique identifiers for each system  Blending together to build a cuEduPerson HR fac/staff; empID SIS student; SID FIS faculty; SSN Uniquid accounts; unix ID IDcard photos; ISO Telecom phone locn phone # cuEduPerson uuid Sponsored Affliate; SSN?

14 CAMP Directory Workshop Feb 3-6, 2004 CU Directory Project Summary  Boulder campus project with some 4- campus scope  Goal from outset was to be an authoritative source of identity data for a wide variety of applications  Steering team established to make hard decisions relating to use and manipulation of data  Managed to succeed without Jon

15 CAMP Directory Workshop Feb 3-6, 2004 Agenda  CU Directory Project Background  Directory Governance  Directory Management  Open Discussion / Q & A

16 CAMP Directory Workshop Feb 3-6, 2004 Directory Governance Scope Jon’s Postulate: Directory Governance = Enterprise Identity Management (At the Policy Level)

17 CAMP Directory Workshop Feb 3-6, 2004 Project Steering Team Established early during implementation to address issues such as: –Data precedence / reconciliation –Affiliation (role) –Visibility of data beyond FERPA –Appropriate uses of data –Giving the project clout (example: incremental updates from PS and SIS) –Championing across University Challenge: Thinking bigger than “white pages”

18 CAMP Directory Workshop Feb 3-6, 2004 Steering Team Member Criteria  Policy maker at the campus or University level AND / OR  Knowledge expert in how the University conducts business (non technical)

19 CAMP Directory Workshop Feb 3-6, 2004 Issue: Affiliation Affiliation describes an individual’s relationship with the university. Affiliation is used for two primary purposes:  To determine whether services should be granted to the user (check performed via a directory- enabled system)  To determine what information should be displayed and/or made public for the individual associated with the entry. Affiliation DISPLAY /QUERY Admitted Student  Confirmed Student  Parent?   Student   Staff   Faculty   Student Employee   Retiree  Employee Spouse  Alum  Sponsored  vendor?  contractor?  visiting faculty?   Directory-only Conference Attendee  SERVICE

20 CAMP Directory Workshop Feb 3-6, 2004 More on Affiliation The primary factor for determining access entitlements are a person’s affiliations with the University. Affiliation (i.e. Role) is determined from a combination of directory attributes:  eduPersonAffiliation – Multi valued; Controlled Vocabulary  eduPersonPrimaryAffiliation – Single value; Controlled Vocabulary  cuEduPersonCampus  cuEduPersonHomeDepartment (faculty / staff)  cuEduPersonMajor (student) (also minor and class)  description – Multi valued; “predictable” values

21 CAMP Directory Workshop Feb 3-6, 2004 Affiliation/Services Matrix dir list emailidkeylabADmodemdhcpWeb host acctememolibraryidcardRTDrecctrotherspecial conditions ContEd noncredit[1][1] no no[2][2]no no? no yes[3][3]no[4][4]no[5][5]yes PLUS; web ct[6][6] current enrollment campus ministries no yes/noyes/ no yes/no yes/ no yesno special id card clubs/orgs[7][7]no yes/noyes/ no yes/no yes/ no yes ucsu-reg if stdent org. Expire date conference attendee[8][8] no yes/noyes/ no yes/no [9] [9] yes/ no yes/no no yesyes[10][10]noyes web CT, wshc short term service vendor/contractorno yes/noyes/ no yes/no yes/ no yes/no no yes/no (special) no svcs vary by ven.; expire per vendor. CU Agency list[11][11] yes/ no yes/no yes/ no yes/no noyes/noyes/ no yes/nono yes/no alumnino (addr) no yes[12][12]no yes[13][13]PLUS Foundation Staffyesno yes noyes

22 CAMP Directory Workshop Feb 3-6, 2004 Issue: Directory Policy http://www.colorado.edu/its/directoryservices/documents/policy.html Establishes –Directory Governance ; –Official Data Sources (the information systems from which the Directory will extract its data, create entries, and update entries, and upon which it will base its reconciliation) ; –Directory Inclusion (categories of people who will be included in the CU- Boulder Directory) ; –Directory Use (privacy requirements; who may have authenticated access to the Directory; who may pull data from the directory and for what purposes; and who must use the Directory)

23 CAMP Directory Workshop Feb 3-6, 2004 Policy: Mandatory Use Mandatory Directory Usage All CU-Boulder campus-specific systems implemented after the advent of the Directory must be directory- enabled if affiliation-check, authorization or enterprise data is required by the newly implemented campus system. “Directory enablement” means using the Directory for determining affiliation, authentication, authorization, or for data reference.

24 CAMP Directory Workshop Feb 3-6, 2004 Steering Becomes Governance Post-deployment Issues –Prioritization of new development (if needed) –Review data use requests and requests for new data (eg. Class photo rosters) –End-user (application) access to Registry database –But mostly: Identity Management

25 CAMP Directory Workshop Feb 3-6, 2004 Identity Management Policy Establishes –Trusted sources of identity data ; –“Sponsored” affiliation type ; (Note: difference from “sponsored” identity) –Acceptable protocols for managing identity data ; –Triggers for removal of identity ; –Operational procedures related to identity

26 CAMP Directory Workshop Feb 3-6, 2004 Identity Management Other Identity Management Issues Contemplated by the DGB: –“Local” vs. “Enterprise” identity data: application specific extensions to the directory –Groups, roles, and delegated administration –Services for expanded sets of affiliates: e.g. applicants and retired faculty –Non person identities

27 CAMP Directory Workshop Feb 3-6, 2004 Governance: What’s Ahead More and Bigger Identity Management Issues: –Reversing the data flow: getting new or changed directory data back into source system –Large classes of potential service consumers who aren’t in source system: Alumni (vanity e-mail address), Former Students (transcript requests), Faculty/Staff Spouses (calendar viewing) –Better processes for removing/changing affiliation (Which can have a profound effect on access to services). –Multi-campus identities and federated management between campuses and external to the University

28 CAMP Directory Workshop Feb 3-6, 2004 What We Would Do Differently A Mistake: –The DGB does not have any direct control over funding

29 CAMP Directory Workshop Feb 3-6, 2004 Governance Summary  Early is good; Elevates important issues out of technical realm  Ensure authority to establish policy and generate action by including those who already have authority  Embrace Massive Scope of Identity Management

30 CAMP Directory Workshop Feb 3-6, 2004 Agenda  CU Directory Project Background  Directory Governance  Directory Management  Open Discussion / Q & A

31 CAMP Directory Workshop Feb 3-6, 2004 Management? Is it a product, a project, or a mature, operational service? –No opportunity to have controlled releases –No finite set of objectives –Minimal ability to create a routine “service fulfillment” process

32 CAMP Directory Workshop Feb 3-6, 2004 Management vs. Operations Operations –Monitoring for availability and performance –Backups and replication –Log file monitoring –Deal with exceptions generated during various load processes (may require escalation) –Upgrading and patching software and platform components Management –Prioritization and oversight of directory related projects –Primary interface to DGB –Consulting with customers –Policy compliance –Data stewardship –Communication and promotion –Contribute to, but not ultimately accountable for, strategic positioning and architecture

33 CAMP Directory Workshop Feb 3-6, 2004 Directory Management Pitfalls By nature, it becomes reactionary –Source systems or data subject to change due to drivers unrelated to the directory or identity management –New laws and regulations to comply with –Requests for new data or new uses of data come with twists and at a rate much faster than the DGB can properly address them –Multiple competing business drivers make prioritization difficult

34 CAMP Directory Workshop Feb 3-6, 2004 The Solution: Pass the Buck  Use the DGB for prioritization when appropriate  Make it the duty of the DGB to resolve even tough issues in a timely manner  Integrate authN/authZ tools with delegated administration into directory services: e.g. commercial identity and access management software  The Directory is too flexible a framework: Build a Portal; or even two

35 CAMP Directory Workshop Feb 3-6, 2004 Oh Yeah, and a Competent Manager Job requirements: –Ability to fully grasp complexities of the data and systems involved –Ability to influence DGB –Skilled project manager –Skilled customer manager –Willing to carry the weight of the world And try not to burden with a lot of operational details

36 CAMP Directory Workshop Feb 3-6, 2004 Management: What’s Ahead Laundry List of Projects from our Directory Manager  faculty welcome basket – rosters, course lists, key requests, ITS account requests, etc.  ISO number included for business school integration  self-update  birthday message  add physical location to dir  directory-enable legacy applications – –athletics ticketing –faculty information system –ASPupload –mailing services –iVote –parking services –housing –norlin –rec center –wardenburg –math mods –applied math  replace Metamerge  sponsored entry – individual and batch entry  direct update to AD  directory-enable email for life  directory-enable account (de)provisioning process  on-going involvement: WebCal, WebCT, cuConnect, IFS, EFL, Account provisioning  grace periods / deprovisioning  multiple uuid programming – correct duplicate entries  dir-enable chinook electronic reserves  integrate UCD  integrate CS, HSC  employee privacy policy  more robust directory logging and stats  include departmental listings in directory  develop archiving plan  email / send mail  system registration ?  printed directory

37 CAMP Directory Workshop Feb 3-6, 2004 What We Would Do Differently  Better separation of directory management and operations functions. Clearly defining role of Directory Manager. (We are in the process of fixing this)

38 CAMP Directory Workshop Feb 3-6, 2004 Directory Management Summary  Management and Operations are different functions  Understand the importance of having a good directory manager and keeping the DGB engaged  Directory management issues are often identity management issues. Address the source of the issue.

39 CAMP Directory Workshop Feb 3-6, 2004 Agenda  CU Directory Project Background  Directory Governance  Directory Management  Open Discussion / Q & A

Download ppt "Life After Implementation On-going Directory Management and Governance Sharing Experiences Jon Giltner Director of IT Architecture and Security Information."

Similar presentations

EzScoreboard.com A Fully Integrated Administration Service.

EzScoreboard.com A Fully Integrated Administration Service.
Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
Illinois Justice Network Portal Implementation Board Meeting February 11, 2004.

Illinois Justice Network Portal Implementation Board Meeting February 11, 2004.
HR Manager – HR Business Partners Role Description

HR Manager – HR Business Partners Role Description
Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.

Identity Management at the University of Florida Mike Conlon, Director of Data Infrastructure University of Florida, Gainesville, Florida Background Identity.
Common Management System – CMS “CMS Status & Future” 1 Financial Officers Association April 2004 “CMS Status & Future” William Griffith Vice President,

Common Management System – CMS “CMS Status & Future” 1 Financial Officers Association April 2004 “CMS Status & Future” William Griffith Vice President,
On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.

On Beyond Z Building a Directory Service educause presentation #074 University of Colorado at Boulder Deborah Keyek-Franssen Marin Stanek Paula J. Vaughan.
Directories at the University of Florida Mike Conlon Director of Data Infrastructure University of Florida.

Directories at the University of Florida Mike Conlon Director of Data Infrastructure University of Florida.
CTIS493 INFORMATION SYSTEMS PROJECT MANAGEMENT SPECIAL TOPICS.

CTIS493 INFORMATION SYSTEMS PROJECT MANAGEMENT SPECIAL TOPICS.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland

Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.

Technical Primer: Identifiers Internet2 Base CAMP Boulder, Colorado June, 2002.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.
Thee-Framework for Education & Research The e-Framework for Education & Research an Overview TEN Competence, Jan 2007 Bill Olivier,

Thee-Framework for Education & Research The e-Framework for Education & Research an Overview TEN Competence, Jan 2007 Bill Olivier,
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
July 12, 2005 CSU SIMI Workshop - Melding Policy and Technology to Manage Identity1 Provisioning Services Collaborative CSU, East Bay and CSU, San Bernardino.

July 12, 2005 CSU SIMI Workshop - Melding Policy and Technology to Manage Identity1 Provisioning Services Collaborative CSU, East Bay and CSU, San Bernardino.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.

UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Directory Services Project University of Colorado at Boulder.

Directory Services Project University of Colorado at Boulder.

Similar presentations

Ads by Google