Presentation Title

advertisement
-- RICE UX & BA REPORT-INPUT FROM INSIDE & OUTSIDE
THE KUALI COMMUNITY
Candace Soderston & Matt Sargent
Collab team meeting
December 12, 2011
STAFF FROM 16 UNIVERSITIES RESPONDED TO A USER
EXPERIENCE SURVEY BEFORE KUALI DAYS 2011
Workflow Survey (7 universities)
Iowa State University
Michigan State University
University of California, Berkeley
University of Hawaii
* University of Connecticut
* University of Maryland
* University of Washington
IdM Survey (12 universities)
Lehigh University
MIT
Ohio Northern University
University of Southern California
* University of Connecticut
* University of Maryland
* University of Washington
+Carleton College
+Duke University
+Rensselaer Polytechnic Institute
+University of Iowa
+University of Saskatchewan
Note: * Same person from Uconn, 2 different people from UMD & UW . 18 respondents total.
+ = 5 universities outside the Kuali community
TYPES OF IMPROVEMENTS WANTED?
% of people rating "Extremely Important to Improve"
Workflow
IDM
33%
17%
25%
50%
38%
25%
Improved functionality
Improved access to the functionality
(GUI, scripting, widget)
Improved error messaging &
documentation
Differentiation Opportunity Quadrant
Define, update, delete a
business rule (3.57, 5.13 )
Strategic Opportunity Quadrant
Higher Importance
to improve
(10=top ranked)
Install workflow tools
Find information or function (3.86, 5.13 )
or customize set up
(3.63, 5.13 )
Set up rules for a department
or team, different from others
Define, update, delete routing rule (3.71, 4.63 )
(2.43, 4.88 )
Create / update / delete users’
identities (4.43, 4.38)
Import / sync Identity data (3.86., 4.0 )
Lower
Frequency
(1=never)
(Average
frequency
x= 3.67)
(Average
Importance=
y=3.67)
Create an alternate or Higher
delegate (4.29, 3.75)
Frequency
(7=dailly)
Define, update, delete a node, graph, or
workflow (3.57, 3.88 )
Delegate some control to
user self-service (2.71, 3.38 )
Edit/check code syntax (3.86, 2.88 )
Define, update, delete a
document type (3.57, 2.25 )
Restart approval
processing (3.43,
Add approver to list for
a doc (3.57, 2.13)
Create / update groups, roles, lists (4.57, 1.38)
2.13 )
Lower attention or upcoming paradigm shift?
Lower Importance
to improve
(0=not in top 10)
Workflow Creation and Management Survey - Results
Keep Pace
Workflow - Most important requirement?
•
Ease of use (6):
• Ease of use
• Ease of use
• Ease of use and not overly complex to end users
• End user self-service to design, test and deploy end-to-end solution
• Flexible and easy to use
•
Flexibility and inherited relationships
•
Rapid development systems.
•
We need to map workflow responsibilities to roles that are constrained by
organization code and level within organization code and then have the
workflow engine understand how to route based upon rules that can be
organization specific. Short way of saying we want awesome KEW
integration with KRMS and KOM (and KIM of course) --- with ability to
override any/all services specific.
WHAT DO YOU LIKE LEAST ABOUT THE TOOLS YOU USE
TODAY TO CREATE AND MANAGE WORKFLOWS?
•
I'm the one who has to do the extending
•
Too many different tools that don't integrate well with each other
•
Lack of visual tools for designing and displaying workflows
•
Lack of documentation, limited community expertise
•
It doesn't have an integration with a text editor or IDE. It provides two
HTML boxes to code in JavaScript. I have worked around it by doing a
copy paste, and working with a text editor
•
I don't like managing xml using an xml editor, which in my eclipse is
like a glorified text editor. But I guess there's no GUI to create or
manage workflows available so I'm stuck doing it this way
Missing tasks?
• User support - assist users in how to accomplish tasks, answer
workflow questions.
• Workflow troubleshooting (4):
• Workflow troubleshooting - stalled routes, missing approvers,
etc.
• Statistics and reporting - provide numbers for different types of
workflow tasks, volumes, etc.
• Check on status of submitted user identity info
• Search for documents - I do this frequently as I check on the
routing status of items.
• (Explanation of choices) anything to do with identities, roles and
permissions (including delegation) is handled outside of the
workflow systems. (Better interoperability)
Additional things you’d like to do but can’t today?
•
Design a workflow either visually (preferred) and/or in combination
with a wizard tool that guides an end user/BA thru the workflow
definition process (nodes, roles, rules, etc.) and then automagically
creates the necessary inputs to the workflow runtime engine.
•
Centralized authorizations, additional attributes and roles besides
primary
•
More nuanced classification of delegates - in some cases would like to
be able to have both the delegate and the person in the role get
emails and see items in their action lists. In other cases would like the
primary to get them and then the delegate to get notification after X
time has passed.
OPTIONAL) WHAT QUESTIONS ABOUT YOUR WORKFLOW
CREATION
AND MANAGEMENT EXPERIENCE AND REQUIREMENTS DID WE NOT
ASK, THAT YOU WISH WE DID?
(AND WHAT WOULD BE YOUR ANSWER TO THESE!)
•
Q: What technical skill level should be required to build/manage
workflow?
•
A: Non technical for basic workflow and highly technical only for
complex workflow solutions
Facets of Identity Management
IdM - Most important requirement?
Within Kuali community:
• open standards
• good documentation and getting started guides
• The ability to customize it to meet the needs of our business practices and work flows
• Clean service interfaces
• Identity merge/match functionality is the most important capability
• Federation
Outside Kuali community:
• Ease of access from other systems using standard protocols
• Ease of getting setup and going. Match to our existing functionality
• Improved functionality over existing system - migration must be a step forward - moving
backwards or even sidewise in function is a lose
•
•
Ability to de/provision flexibly and reliably in heterogeneous systems based on rich business rules
defined in the solution
Workflow that is easy to maintain, in which complex logic can be embedded, and where the steps
can invoke either interactions with people or with agents
WHAT DO YOU LIKE MOST ABOUT YOUR TOOLS?
Within the Kuali community:
•
Open source
•
Flexible. Efficient. Supportable by a small team. Based on open standards.
•
CAS, kerberos and ldap are industry standards and work well with our open source applications.
•
supports consortial operations; Shibboleth is a standard with wide support
•
We use university NETID's everywhere, its great to have a common username across all university
services
•
Centralizing process of assigning roles and determining resources based on this assignment.
•
The matching logic integrated into the university’s ID assignment process The structure and simplicity of
the Roles Service
Outside the Kuali community:
•
They meet our specific needs. We can make changes as needed
•
The flexibility of our tools is fairly good, we have a lot of different things to use for different tasks at our
disposal.
•
Good fit for our needs
•
We are able to express the fairly complex logic that goes into managing identities, roles and access
permissions.
•
Ability to get canonical identity information from official University sources; ease of configuration of
Spring-LDAP module
WHAT DO YOU LIKE LEAST ABOUT YOUR TOOLS?
Within Kuali community:
•
homegrown solutions are limited and outdated and need to be replaced
•
LDAP is not equal to IdM
•
Not well documented and therefore reliant on a few experts
•
complex environment which is difficult to debug
•
Changing the web interface is not easy. We have a lot of real estate used for
built-in fields we don't use
•
There is no centralized storage for users and no way to share files in a native
drive-letter mapped way that leverages NETID and university groups
membership
•
Batch (nightly) feeds for most data integration (except university ID and Roles
which are real time services).
Too many ways to authenticate... (1) X509 personal certificates, (2) Kerberos
user name & Password, (3) Touchstone's internal account creation. Difficult
for non-core (i.e. departmental) applications to plug into these services so
they often don't bother to.
•
WHAT DO YOU LIKE LEAST ABOUT YOUR TOOLS?
(CONT)
Outside Kuali Community:
•
Some of it is written in dated technologies. We do not have enough
resources to catch up on some needed changes
•
Some older tools need revision, some tasks areas poorly supported.
•
Sometimes there are multiple sources of information for the same identity;
interface I have to Grouper is difficult to use
•
Implementation of business rules in multiple systems is a huge problem.
• Would like to have the bulk of the rules implemented in just one place.
The (lack of) interconnectedness of our tools causes difficulty in making
any kind of change.
• We don't have a great way to enforce access management broadly other
than with Active Directory groups, thus we have a problem with token
size due to the huge number of groups in AD. Some kind of
policy/enforcement management engine (XACML?) would probably
help.
Do These Results Represent You? (cont)
Current Tasks - Frequency
6.42
Export/Import/Synchronize identity data with other…
5.83
Provision users
5.42
Add or update a person, group or role and the…
5.00
Set up access for a particular department or team…
5.00
Edit / check code syntax
4.67
Identify and resolve duplication of registry records
4.33
Install and customize tools and templates that help…
4.33
Manage web access
4.08
Set up tools that administer the automatic granting…
(AVERAGE SCORE = 4.02)
3.42
Manage federated identities
Manage a self-service function, enabling self-…
3.08
Explore - find information or functions offered by…
3.08
2.92
Create a single registry for persons and non-persons
1.67
Track, audit and report adherence to local and…
Manage smart tokens, public key operations,…
1.08
WHAT OTHER TASKS ARE YOU NOT ABLE TO DO TODAY
THROUGH THE IDM TOOLS THAT YOU WISH YOU COULD?
Within Kuali community:
•
•
•
•
Automated user account provisioning
We currently have limited password maintenance and security question functionality with the
off the shelf product. We have created our own system for handling this to be in compliance
with our security policies.
Two things:
• Delegate authorizations (our tools don't do that)
• Impersonate people for testing and debugging
Three things:
•
•
•
- generate reports from lists of university NETID’s
- centralized storage for individuals and groups, based on university NETID and the
university group service
- Allow the Support Org members to manage the storage of a person in the NETID domain
that is under their umbrella
Outside Kuali community:
•
Automating the creation and management of non-person objects. (And … More of a feature
than a task) Better detection of, and recovery from, the temporary inability to contact a
remote resource.
(OPTIONAL) WHAT QUESTIONS ABOUT YOUR IDM CREATION AND
MANAGEMENT EXPERIENCE AND REQUIREMENTS DID WE NOT ASK, THAT
YOU WISH WE DID?
(AND WHAT WOULD BE YOUR ANSWER TO THESE!)
Outside Kuali community:
•
Federation and other related: We are running a locally developed,
mature IdM system. Being able to take feeds from, and provide feeds to
other systems is very important. Ability to manage roles, and delegate
control based on roles is key to our success.
• Life cycle management of "guests" is very important, as well as being able
to accommodate deficiencies in enterprise systems (ie - our HR/Payroll
system does not have an accurate "end date" for employees - we have an
employee "overlay" on the data feed from banner to correct this).
Q & A?
Download