University of Michigan MCommunity Project

advertisement
University of Michigan
MCommunity Project
Liz Salley (salley@umich.edu)
Product Manager, Michigan Administrative Information Services
Luke Tracy (ltracy@umich.edu)
MCommunity Co-Technical Lead, Information Technology Central
Services
http://www.itcs.umich.edu/mcommunity/
1
Project Overview
•
•
•
Who’s in, who’s out. MCommunity will allow the University to know who is
and is not a member of the U-M community so that central University
offices, departments, schools, colleges, and campuses can grant and remove
access to online resources as needed and appropriate.
Managed data for managed access. It will provide identity management,
roles management, data sharing and reconciliation, and directory services
for U-M. It will bring together data from multiple institutional sources and
will organize, present, and secure the data in a way that is particularly well
suited to managing access to University resources.
A collaborative effort. Planning for, and development of, MCommunity is a
collaborative effort across U-M IT units and across the many units that will
use the new system.
2
Project Overview
•
•
One-stop directory shop. MCommunity will provide units and end users
with a "one-stop directory shop" for provisioning of services, access control,
and directory-enabled applications.
Robust tools. It will provide a robust set of tools that include/enable:
– Identity and life-cycle management
– Real-time provisioning of central IT resources
– Real-time provisioning of local IT resources
– Clearly defined and documented programming interfaces
– Auditing system
– Integrated workflow
3
Current Legacy Environment
•
•
•
•
•
For limited purposes. Directory Services purposed for white pages and
e-mail delivery.
Weekly updates. Directory Services updated from Systems of Record
weekly.
Home-grown ID management. Home-grown identity management based on
NetID/LoginID management.
Data not purposed for provisioning. Institutional data sources not purposed
for IT provisioning.
Central provisioning home-grown. Home-grown provisioning system for
central IT services.
4
Problem Statements
•
•
•
•
Multiple data sources. Most units need to go to multiple data sources to
obtain information they need; there is a lack of a common data
management strategy.
Slow updates. Currently, data feeds do not arrive quickly enough to fully
automate access provisioning or de-provisioning campus-wide.
Time-consuming to get access. Going through existing “official” channels to
provision access for members of the extended University community,
including guests, faculty with very short appointments, volunteers, etc., is
very time-consuming and unrealistic.
Manual processes. Many units still use manual processes to create identities
or allocate resources.
5
Problem Statements
•
•
•
•
•
Inconsistent data, duplicated effort. Storing user information locally can
create data inconsistencies and, in many cases, causes duplication of effort.
Many departments keep their own copies of data that are less current or
accurate than authoritative sources.
Difficult to use. Existing authoritative data sources are difficult to use, and it
is difficult to gain access to them.
Local control wanted. Units demand local control of access to IT services.
Consolidation needed. Institutional sources of identity data need to be
consolidated into a central identity management system.
Better life cycle management needed. Consistent and predictable life cycle
management practices are needed.
6
Data & Governance: Beginnings
•
•
•
Data policies in place. U-M has long-standing policies and a structure for
institutional data stewardship and management.
http://www.mais.umich.edu/access/policies.html
Unique ID in place. Existing IdM systems are already using a single,
institutional Net ID (U-M "uniqname") and non-social security number ID
(UMID).
One person = one uniqname = one UMID
Single ERP system in place. Student Administration (SA) and HRMS systems
of record have already been transitioned from many separate mainframe
applications to a single, integrated PeopleSoft ERP system.
7
Data & Governance: Convening a Team
•
•
•
Early input from stakeholders. MCommunity Governance Board convened
before project was funded. Membership includes:
– Institutional data managers for student, employee, and alumni data
– IT directors and managers from representative schools, colleges, health
system, and libraries
– IdM project leads from central IT units (Luke and Liz)
Pre-implementation phase. Two-hour meetings, twice per month, for 8
months. Established high-level scope and vision; assisted enormously in
building our business case and estimating the project timeline and costs.
Implementation phase. Two-hour meetings, once or twice per month, for 16
months. Continued to guide high-level scope and vision, as well as make
detailed implementation decisions.
8
Data & Governance: Key Outcomes
•
Strong vs. weak identities
– Vocabulary: How do we talk to campus about what this means?
– Minimum data standards
– Identity lifecycle
– Real-life business cases
9
Data and Governance: Key Outcomes
•
Authority and accountability
– How do we enforce standards in a highly decentralized environment?
– System enforcement vs. guidelines and best practices
– Decentralized authority and accountability to ensure guidelines and
best practices are followed
– Resources for IT directors
– See “MCommunity Sponsoring Authority Policies and Agreement”
http://www.itcs.umich.edu/itcsdocs/r1460/
10
MCommunity Project Architecture
11
MCommunity Project Architecture
•
•
•
•
•
Live data feed from Human Resources and main campus Student System of
Record.
Nightly updates from remote campus Student Systems of Record.
Nightly updates from Development/Alumni System of Record.
New Sponsor System for creating and managing identities for sponsored
affiliates, people who are affiliated with the University but who do not
appear in any of the official University Systems of Record.
– Sponsored affiliates include, for example, conference attendees,
contractors, incoming faculty who need access to U-M resources before
the hiring process is complete, and others.
– Support for both strong and weak identities.
All person data from above systems fed into a secure person registry.
12
MCommunity Project Architecture
•
•
•
•
•
Inside the person registry. Real-time identity matching and reconciliation,
institutional data precedence rules, data normalization, regulatory privacy
policy, and identity lifecycle processing occurs in the person registry.
Exception handling. Workflow system is utilized for exception handling.
In real time. Distilled identities are populated and maintained in the
directory in real-time.
In the directory. Institutional Roles, User Groups, Departmental Roles, and
departmental attributes exist in the directory.
One stop for IT provisioning. Directory functions as the one-stop directory
shop for IT provisioning.
13
MCommunity Project Architecture
•
•
•
Real-time bi-directional provisioning tools facilitate central and
departmental IT provisioning.
Full LDAP access provided through a replica of the directory to facilitate
business-rule verification prior to committal to directory.
All components of MCommunity are instrumented for central auditing and
logging, enabling event correlation and incident response.
14
Reflections on Progress So Far
•
•
•
•
•
•
Implications of our vendor solution:
– Up until now, we have mostly used open source and home-grown
products to meet the extensive customization needs of the diverse U-M
community.
– Customizing a vendor solution has brought with it staffing and cultural
issues that we are addressing and learning from.
Expectations of magic
Scope creep
Introduction of project management methodology
Enterprise vs. commodity service
Systems programmers becoming enterprise developers
15
Download