-- RICE UX & BA REPORT-INPUT FROM INSIDE & OUTSIDE THE KUALI COMMUNITY Candace Soderston & Matt Sargent Collab team meeting December 12, 2011 STAFF FROM 16 UNIVERSITIES RESPONDED TO A USER EXPERIENCE SURVEY BEFORE KUALI DAYS 2011 Workflow Survey (7 universities) Iowa State University Michigan State University University of California, Berkeley University of Hawaii * University of Connecticut * University of Maryland * University of Washington IdM Survey (12 universities) Lehigh University MIT Ohio Northern University University of Southern California * University of Connecticut * University of Maryland * University of Washington +Carleton College +Duke University +Rensselaer Polytechnic Institute +University of Iowa +University of Saskatchewan Note: * Same person from Uconn, 2 different people from UMD & UW . 18 respondents total. + = 5 universities outside the Kuali community TYPES OF IMPROVEMENTS WANTED? % of people rating "Extremely Important to Improve" Workflow IDM 33% 17% 25% 50% 38% 25% Improved functionality Improved access to the functionality (GUI, scripting, widget) Improved error messaging & documentation Differentiation Opportunity Quadrant Define, update, delete a business rule (3.57, 5.13 ) Strategic Opportunity Quadrant Higher Importance to improve (10=top ranked) Install workflow tools Find information or function (3.86, 5.13 ) or customize set up (3.63, 5.13 ) Set up rules for a department or team, different from others Define, update, delete routing rule (3.71, 4.63 ) (2.43, 4.88 ) Create / update / delete users’ identities (4.43, 4.38) Import / sync Identity data (3.86., 4.0 ) Lower Frequency (1=never) (Average frequency x= 3.67) (Average Importance= y=3.67) Create an alternate or Higher delegate (4.29, 3.75) Frequency (7=dailly) Define, update, delete a node, graph, or workflow (3.57, 3.88 ) Delegate some control to user self-service (2.71, 3.38 ) Edit/check code syntax (3.86, 2.88 ) Define, update, delete a document type (3.57, 2.25 ) Restart approval processing (3.43, Add approver to list for a doc (3.57, 2.13) Create / update groups, roles, lists (4.57, 1.38) 2.13 ) Lower attention or upcoming paradigm shift? Lower Importance to improve (0=not in top 10) Workflow Creation and Management Survey - Results Keep Pace Workflow - Most important requirement? • Ease of use (6): • Ease of use • Ease of use • Ease of use and not overly complex to end users • End user self-service to design, test and deploy end-to-end solution • Flexible and easy to use • Flexibility and inherited relationships • Rapid development systems. • We need to map workflow responsibilities to roles that are constrained by organization code and level within organization code and then have the workflow engine understand how to route based upon rules that can be organization specific. Short way of saying we want awesome KEW integration with KRMS and KOM (and KIM of course) --- with ability to override any/all services specific. WHAT DO YOU LIKE LEAST ABOUT THE TOOLS YOU USE TODAY TO CREATE AND MANAGE WORKFLOWS? • I'm the one who has to do the extending • Too many different tools that don't integrate well with each other • Lack of visual tools for designing and displaying workflows • Lack of documentation, limited community expertise • It doesn't have an integration with a text editor or IDE. It provides two HTML boxes to code in JavaScript. I have worked around it by doing a copy paste, and working with a text editor • I don't like managing xml using an xml editor, which in my eclipse is like a glorified text editor. But I guess there's no GUI to create or manage workflows available so I'm stuck doing it this way Missing tasks? • User support - assist users in how to accomplish tasks, answer workflow questions. • Workflow troubleshooting (4): • Workflow troubleshooting - stalled routes, missing approvers, etc. • Statistics and reporting - provide numbers for different types of workflow tasks, volumes, etc. • Check on status of submitted user identity info • Search for documents - I do this frequently as I check on the routing status of items. • (Explanation of choices) anything to do with identities, roles and permissions (including delegation) is handled outside of the workflow systems. (Better interoperability) Additional things you’d like to do but can’t today? • Design a workflow either visually (preferred) and/or in combination with a wizard tool that guides an end user/BA thru the workflow definition process (nodes, roles, rules, etc.) and then automagically creates the necessary inputs to the workflow runtime engine. • Centralized authorizations, additional attributes and roles besides primary • More nuanced classification of delegates - in some cases would like to be able to have both the delegate and the person in the role get emails and see items in their action lists. In other cases would like the primary to get them and then the delegate to get notification after X time has passed. OPTIONAL) WHAT QUESTIONS ABOUT YOUR WORKFLOW CREATION AND MANAGEMENT EXPERIENCE AND REQUIREMENTS DID WE NOT ASK, THAT YOU WISH WE DID? (AND WHAT WOULD BE YOUR ANSWER TO THESE!) • Q: What technical skill level should be required to build/manage workflow? • A: Non technical for basic workflow and highly technical only for complex workflow solutions Facets of Identity Management IdM - Most important requirement? Within Kuali community: • open standards • good documentation and getting started guides • The ability to customize it to meet the needs of our business practices and work flows • Clean service interfaces • Identity merge/match functionality is the most important capability • Federation Outside Kuali community: • Ease of access from other systems using standard protocols • Ease of getting setup and going. Match to our existing functionality • Improved functionality over existing system - migration must be a step forward - moving backwards or even sidewise in function is a lose • • Ability to de/provision flexibly and reliably in heterogeneous systems based on rich business rules defined in the solution Workflow that is easy to maintain, in which complex logic can be embedded, and where the steps can invoke either interactions with people or with agents WHAT DO YOU LIKE MOST ABOUT YOUR TOOLS? Within the Kuali community: • Open source • Flexible. Efficient. Supportable by a small team. Based on open standards. • CAS, kerberos and ldap are industry standards and work well with our open source applications. • supports consortial operations; Shibboleth is a standard with wide support • We use university NETID's everywhere, its great to have a common username across all university services • Centralizing process of assigning roles and determining resources based on this assignment. • The matching logic integrated into the university’s ID assignment process The structure and simplicity of the Roles Service Outside the Kuali community: • They meet our specific needs. We can make changes as needed • The flexibility of our tools is fairly good, we have a lot of different things to use for different tasks at our disposal. • Good fit for our needs • We are able to express the fairly complex logic that goes into managing identities, roles and access permissions. • Ability to get canonical identity information from official University sources; ease of configuration of Spring-LDAP module WHAT DO YOU LIKE LEAST ABOUT YOUR TOOLS? Within Kuali community: • homegrown solutions are limited and outdated and need to be replaced • LDAP is not equal to IdM • Not well documented and therefore reliant on a few experts • complex environment which is difficult to debug • Changing the web interface is not easy. We have a lot of real estate used for built-in fields we don't use • There is no centralized storage for users and no way to share files in a native drive-letter mapped way that leverages NETID and university groups membership • Batch (nightly) feeds for most data integration (except university ID and Roles which are real time services). Too many ways to authenticate... (1) X509 personal certificates, (2) Kerberos user name & Password, (3) Touchstone's internal account creation. Difficult for non-core (i.e. departmental) applications to plug into these services so they often don't bother to. • WHAT DO YOU LIKE LEAST ABOUT YOUR TOOLS? (CONT) Outside Kuali Community: • Some of it is written in dated technologies. We do not have enough resources to catch up on some needed changes • Some older tools need revision, some tasks areas poorly supported. • Sometimes there are multiple sources of information for the same identity; interface I have to Grouper is difficult to use • Implementation of business rules in multiple systems is a huge problem. • Would like to have the bulk of the rules implemented in just one place. The (lack of) interconnectedness of our tools causes difficulty in making any kind of change. • We don't have a great way to enforce access management broadly other than with Active Directory groups, thus we have a problem with token size due to the huge number of groups in AD. Some kind of policy/enforcement management engine (XACML?) would probably help. Do These Results Represent You? (cont) Current Tasks - Frequency 6.42 Export/Import/Synchronize identity data with other… 5.83 Provision users 5.42 Add or update a person, group or role and the… 5.00 Set up access for a particular department or team… 5.00 Edit / check code syntax 4.67 Identify and resolve duplication of registry records 4.33 Install and customize tools and templates that help… 4.33 Manage web access 4.08 Set up tools that administer the automatic granting… (AVERAGE SCORE = 4.02) 3.42 Manage federated identities Manage a self-service function, enabling self-… 3.08 Explore - find information or functions offered by… 3.08 2.92 Create a single registry for persons and non-persons 1.67 Track, audit and report adherence to local and… Manage smart tokens, public key operations,… 1.08 WHAT OTHER TASKS ARE YOU NOT ABLE TO DO TODAY THROUGH THE IDM TOOLS THAT YOU WISH YOU COULD? Within Kuali community: • • • • Automated user account provisioning We currently have limited password maintenance and security question functionality with the off the shelf product. We have created our own system for handling this to be in compliance with our security policies. Two things: • Delegate authorizations (our tools don't do that) • Impersonate people for testing and debugging Three things: • • • - generate reports from lists of university NETID’s - centralized storage for individuals and groups, based on university NETID and the university group service - Allow the Support Org members to manage the storage of a person in the NETID domain that is under their umbrella Outside Kuali community: • Automating the creation and management of non-person objects. (And … More of a feature than a task) Better detection of, and recovery from, the temporary inability to contact a remote resource. (OPTIONAL) WHAT QUESTIONS ABOUT YOUR IDM CREATION AND MANAGEMENT EXPERIENCE AND REQUIREMENTS DID WE NOT ASK, THAT YOU WISH WE DID? (AND WHAT WOULD BE YOUR ANSWER TO THESE!) Outside Kuali community: • Federation and other related: We are running a locally developed, mature IdM system. Being able to take feeds from, and provide feeds to other systems is very important. Ability to manage roles, and delegate control based on roles is key to our success. • Life cycle management of "guests" is very important, as well as being able to accommodate deficiencies in enterprise systems (ie - our HR/Payroll system does not have an accurate "end date" for employees - we have an employee "overlay" on the data feed from banner to correct this). Q & A?