Upload
ashley-holland
View
215
Download
0
Embed Size (px)
Citation preview
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
1
Georgia State UniversityCase Study of
A Person Registry
Art VandenbergDirector, Advanced Campus Services
Georgia State University
“Copyright Art Vandenberg 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.”
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
2
Person Registry to Campus Directory
• Enterprise “directory architecture”
• Synchronizes data from different sources
• Provisions data to other applications
• A view of “authoritative sources” data
• Resolves identity
• Supports authentication & authorization– (directly, indirectly…)
Supported by:NMI
Middlewarecomponents
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
3
Critical Success Factors
• Top level sponsorship – CIO
• Steering Group – CIO + IT Directors
• Working groups – data stewards, technical
• Stepwise approach, let it evolve
• Take advantage of opportunity– Student email was a prime driver in early 2001
– New Rec Center was showcase opportunity: how to provide automated access... synchronized with campus onecard
– WebCT, Campus Directory, Library feeds, email groups, check advice via email…
Supported by:Roadmap components
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
4
NMI Components We Used
• Internet2 Middleware – http://middleware.internet2.edu/– Site, lists, working groups–
• Good overview and starting point, generally accessible
– • Introduces schema issues
– • “Hey, whoa, this is exactly what we’re facing…!!”• Identifiers, authentication, authorization, synchronization
• [Tim Howes: Understanding and Deploying LDAP Directory Services (2nd Edition, Addison-Wesley, 2003)]
LDAP Recipe
eduPerson schema
Metadirectory Practices for Enterprise Directories in HE
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
5
We Had (Too Many) Solutions
Student emailStudent
Rec Center
OneCard
WebCT class rolls
Email lists
Open Record requests
ElementK
access
College request for data load
College request for data load
College request for data load
Library
Staff email
AlumniStudentFinanci
alHR/PR Sponsored Research
LDAPDirectory
??
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
6
(We Needed) person registry
Staff data Student data
PERSON REGISTRYName, ID, Address, Phone… Title,
Department, College, Dept, Major, Course, Term
WebCT class rolls Campus
directory
Student Rec Center access
Supported by:Metadirectory Practices…(and R.L.“Bob” Morgan)
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
7
Person Registry: Synchronizes
• HR/PPS feed nightly– (name, title, phone, department…)
• Student feed nightly– (name, college, dept, major, course…)
• Rec Center Affiliates being added– (name, sponsor, paid status…)
• Resolves into a single Person Registry core record– Effectively provides cross-walk back to source ERP systems
Supported by:Metadirectory Practices…
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
8
Person Registry: Provisions
• Student email (PR assigns)– Sends nightly updates to Novell Netmail (LDAP)
• Student Rec Center gate access (via PantherCard)– Sends nightly update on eligibility (rec fee paid) to card office
• WebCT (PR provides course enrollment feeds)
• Library– Sends periodic updates on eligibility
• Banner (passes back student email assigned by registry…)
• Campus Directory– Nightly update of faculty, staff, student, affiliates, retirees...
Supported by:Metadirectory Practices…
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
9
Business Rules: authoritative sources
• Basic Principle of authoritative sources– KEY: data stewards involved Day 1 (or earlier)
• Employee data has precedence over student– Establish campus policy
• Merge identity data to one person record
• Data stewards address policy issues– FERPA requires access control
• Person registry is also authoritative source– Email, PantherCard id, library barcode, campusId
– it’s about identity management
Supported by:MetadirectoryPractices forEnterpriseDirectoriesIn HigherEducation
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
10
Ongoing results…
• Campus Directory (classic LDAP recipe issues)– online January 18, 2003
• Self-service Profile Manager (metadirectory enabled)– Select CampusId, set pw, set Email routing
• Campus communication (metadirectory enabled)– email (not postal) for payroll/check advices– Leave balances, check & deposit history online (bonus benefit)
• Student Email groups in progress (SAGE group editing?) – working groups engaged (College reps, technical, policy…)– automated standard groups (if N = #people, 2N = possible groups)– employee groups in queue (objects in mirror appear closer than…)
Georgia State Campus Directory
Novell eGuideprovides rich interface:
Compound Booleansearches
Find:All
EmployeeStudentAffiliateRetiredother
StringMatchoptions
Supported by:LDAP recipeeduPerson
Metadirectory…
Georgia State Campus Directory...
HR data:NameDept
PhoneMailstop
Affiliations are“calculated”;
eduPersonAffiliationattributes
Person registry data:CampusID, email
eduPersonPrincipalName
Supported by:eduPerson
Metadirectory…(provisioning,
identifiers)
Georgia State Campus Directory...
Student Data:Robinson College of Business
gsuPersonCollege
Current Policylimits directory
data for students.IF FERPAinvoked,
NO studentdata at all
StudentAffiliation added; however
eduPersonPrimaryAffiliationset to employee
due to precedenceBusiness rule
Supported by:eduPerson,
LDAP recipe(access control)
Georgia State Online Advice View
Identity Management:Unique identifier
For everyone at Georgia State
Middleware makes it possible(metadirectory architecture=legacy HR/PR on web!)
Supported by:LDAP recipe
(ids, authentication,pw management)
Georgia State Online Advice View…
Provides link toStudent refunds
HistoryData!
Application enabled by:NMI Middleware
infrastructure
Georgia State Profile Manager
Key Concept:Identity management involves user.
Provide the meansfor users to manage their
electronic profile.
Concept by:NMI Middleware
Georgia State Profile Manager…
Default options:Designate Target In-Box
Change PasswordOther options availableto Helpcenter or others
cf. General Access Menu
Everyone can useeduPersonPrincipalName
for email(it’s mapped it to
Target in-box)
Key function:Email follows
NMI MiddlewareRecommendation for
eduPersonPrincipalName
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
18
Phased Approach… and issues
• Email groups faculty/staff [personal groups?] (SAGE…)• LDAP authentication (LDAP Recipe)• Record added to registry at “first touch” - then pulled by
SCT, Peoplesoft…!? (cf. BC metadirectory model)– New hires become “provisional employee”– “day one” start… “last day” stop
• More Self-service options (nickname, url, addresses…)• Campus ID as network id
– unified name space (Metadirectory Practices for Enterprise…)– Is the hurdle a)Technical b)Policy c)sheer effort d)All…?
• Maintaining momentum is key
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
19
Very important links
• Internet2 Middleware– http://middleware.internet2.edu/
• Enterprise Directory Implementation Roadmap– http://www.nmi-edit.org/roadmap/directories.html
• LDAP Recipe– http://www.georgetown.edu/giia/internet2/ldap-recipe/
• eduPerson– http://www.educause.edu/eduperson/
• Metadirectory Practices for Enterprise Directories in HE– http://middleware.internet2.edu/dir/metadirectories/internet2-
mace-dir-metadirectories-practices-200210.htm
3 Nov 2003A. Vandenberg ©
Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA
20
Contact
Thank you
Second NMI Integration Testbed Workshopon
Experiences in Middleware Deployment
Anaheim, CA Monday November 3, 2003
8:30 am – 5:00 pm