3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case

3 Nov 2003A. Vandenberg ©

Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA

1

Georgia State UniversityCase Study of

A Person Registry

Art VandenbergDirector, Advanced Campus Services

Georgia State University

[email protected]

“Copyright Art Vandenberg 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate

otherwise or to republish requires written permission from the author.”



2

Person Registry to Campus Directory

• Enterprise “directory architecture”

• Synchronizes data from different sources

• Provisions data to other applications

• A view of “authoritative sources” data

• Resolves identity

• Supports authentication & authorization– (directly, indirectly…)

Supported by:NMI

Middlewarecomponents



3

Critical Success Factors

• Top level sponsorship – CIO

• Steering Group – CIO + IT Directors

• Working groups – data stewards, technical

• Stepwise approach, let it evolve

• Take advantage of opportunity– Student email was a prime driver in early 2001

– New Rec Center was showcase opportunity: how to provide automated access... synchronized with campus onecard

– WebCT, Campus Directory, Library feeds, email groups, check advice via email…

Supported by:Roadmap components



4

NMI Components We Used

• Internet2 Middleware – http://middleware.internet2.edu/– Site, lists, working groups–

• Good overview and starting point, generally accessible

– • Introduces schema issues

– • “Hey, whoa, this is exactly what we’re facing…!!”• Identifiers, authentication, authorization, synchronization

• [Tim Howes: Understanding and Deploying LDAP Directory Services (2nd Edition, Addison-Wesley, 2003)]

LDAP Recipe

eduPerson schema

Metadirectory Practices for Enterprise Directories in HE



5

We Had (Too Many) Solutions

Student emailStudent

Rec Center

OneCard

WebCT class rolls

Email lists

Open Record requests

ElementK

access

College request for data load



Library

Staff email

AlumniStudentFinanci

alHR/PR Sponsored Research

LDAPDirectory

??



6

(We Needed) person registry

Staff data Student data

PERSON REGISTRYName, ID, Address, Phone… Title,

Department, College, Dept, Major, Course, Term

WebCT class rolls Campus

directory

Student Rec Center access

Supported by:Metadirectory Practices…(and R.L.“Bob” Morgan)



7

Person Registry: Synchronizes

• HR/PPS feed nightly– (name, title, phone, department…)

• Student feed nightly– (name, college, dept, major, course…)

• Rec Center Affiliates being added– (name, sponsor, paid status…)

• Resolves into a single Person Registry core record– Effectively provides cross-walk back to source ERP systems

Supported by:Metadirectory Practices…



8

Person Registry: Provisions

• Student email (PR assigns)– Sends nightly updates to Novell Netmail (LDAP)

• Student Rec Center gate access (via PantherCard)– Sends nightly update on eligibility (rec fee paid) to card office

• WebCT (PR provides course enrollment feeds)

• Library– Sends periodic updates on eligibility

• Banner (passes back student email assigned by registry…)

• Campus Directory– Nightly update of faculty, staff, student, affiliates, retirees...

Supported by:Metadirectory Practices…



9

Business Rules: authoritative sources

• Basic Principle of authoritative sources– KEY: data stewards involved Day 1 (or earlier)

• Employee data has precedence over student– Establish campus policy

• Merge identity data to one person record

• Data stewards address policy issues– FERPA requires access control

• Person registry is also authoritative source– Email, PantherCard id, library barcode, campusId

– it’s about identity management

Supported by:MetadirectoryPractices forEnterpriseDirectoriesIn HigherEducation



10

Ongoing results…

• Campus Directory (classic LDAP recipe issues)– online January 18, 2003

• Self-service Profile Manager (metadirectory enabled)– Select CampusId, set pw, set Email routing

• Campus communication (metadirectory enabled)– email (not postal) for payroll/check advices– Leave balances, check & deposit history online (bonus benefit)

• Student Email groups in progress (SAGE group editing?) – working groups engaged (College reps, technical, policy…)– automated standard groups (if N = #people, 2N = possible groups)– employee groups in queue (objects in mirror appear closer than…)

Georgia State Campus Directory

Novell eGuideprovides rich interface:

Compound Booleansearches

Find:All

EmployeeStudentAffiliateRetiredother

StringMatchoptions

Supported by:LDAP recipeeduPerson

Metadirectory…

Georgia State Campus Directory...

HR data:NameDept

PhoneMailstop

Affiliations are“calculated”;

eduPersonAffiliationattributes

Person registry data:CampusID, email

eduPersonPrincipalName

Supported by:eduPerson

Metadirectory…(provisioning,

identifiers)

Georgia State Campus Directory...

Student Data:Robinson College of Business

gsuPersonCollege

Current Policylimits directory

data for students.IF FERPAinvoked,

NO studentdata at all

StudentAffiliation added; however

eduPersonPrimaryAffiliationset to employee

due to precedenceBusiness rule

Supported by:eduPerson,

LDAP recipe(access control)

Georgia State Online Advice View

Identity Management:Unique identifier

For everyone at Georgia State

Middleware makes it possible(metadirectory architecture=legacy HR/PR on web!)

Supported by:LDAP recipe

(ids, authentication,pw management)

Georgia State Online Advice View…

Provides link toStudent refunds

HistoryData!

Application enabled by:NMI Middleware

infrastructure

Georgia State Profile Manager

Key Concept:Identity management involves user.

Provide the meansfor users to manage their

electronic profile.

Concept by:NMI Middleware

Georgia State Profile Manager…

Default options:Designate Target In-Box

Change PasswordOther options availableto Helpcenter or others

cf. General Access Menu

Everyone can useeduPersonPrincipalName

for email(it’s mapped it to

Target in-box)

Key function:Email follows

NMI MiddlewareRecommendation for

eduPersonPrincipalName



18

Phased Approach… and issues

• Email groups faculty/staff [personal groups?] (SAGE…)• LDAP authentication (LDAP Recipe)• Record added to registry at “first touch” - then pulled by

SCT, Peoplesoft…!? (cf. BC metadirectory model)– New hires become “provisional employee”– “day one” start… “last day” stop

• More Self-service options (nickname, url, addresses…)• Campus ID as network id

– unified name space (Metadirectory Practices for Enterprise…)– Is the hurdle a)Technical b)Policy c)sheer effort d)All…?

• Maintaining momentum is key



19

Very important links

• Internet2 Middleware– http://middleware.internet2.edu/

• Enterprise Directory Implementation Roadmap– http://www.nmi-edit.org/roadmap/directories.html

• LDAP Recipe– http://www.georgetown.edu/giia/internet2/ldap-recipe/

• eduPerson– http://www.educause.edu/eduperson/

• Metadirectory Practices for Enterprise Directories in HE– http://middleware.internet2.edu/dir/metadirectories/internet2-

mace-dir-metadirectories-practices-200210.htm

http://middleware.internet2.edu/

http://www.nmi-edit.org/roadmap/directories.html





20

Contact

Art [email protected]

Thank you

Second NMI Integration Testbed Workshopon

Experiences in Middleware Deployment

Anaheim, CA Monday November 3, 2003

8:30 am – 5:00 pm

Documents

3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Georgia State University Case