View
214
Download
0
Category
Tags:
Preview:
Citation preview
History Refresher – Commissioning Statement
Establish a framework for deploying and maintaining
general purpose directory services for the University of Colorado at Boulder
within the context of the University-wide environment.
History Refresher – Goals• Develop and implement an enterprise
directory service for UCB
• Status:– UCB enterprise directory initial phase was
implemented November 5th, 2001.– iPlanet Directory Server, running on Solaris
450 at the CC with a replicated directory instance running on a Solaris 450 at Tele.
History Refresher – Goals• Trusted, authoritative source of data• Status:
The Enterprise Directory blends data from SIS, HR and Uniquid using business rules, processes and policies agreed upon by campus-wide representatives.
History Refresher – Goals• Identity, data and relationship management• Status:
– The Enterprise Directory offers a single entry per person reflecting all CU-related roles.
– Identity verification using Employee ID, SID, SSN, Previous SID, Name, DOB, gender
– Data population logic is based upon Steering Team-established business rules and policies
– Process determines Affiliation, Primary Affiliation and corresponding privileges.
History Refresher – Goals• Usable by a variety of applications and services• Status:
– Built upon LDAP standards, maximizing its potential for subsequent use.
– Apps/services currently using the directory: White Pages (in production)
Printed Directory (produced Fall, 2001 edition)Email address source for various applicationsCalendar (pilot) Affiliation Verification (local to Service Center) Radius (proof of concept)Mac OS authentication (proof of concept)Attribute load into Active Directory (as needed)
History Refresher – Goals• Authentication Services
• Status:– Framework established based upon LDAP standards,
eduPerson standards, and affiliation definition.
– Solution option testing is in process
Directory Structure Today
UCB
Directory
RegistryCentral
(pilot)
Identity
Recon.
Uniquid
SIS
H/R
Directory
Build
Recon
report
White Pages
(Nov.5, 2001)
Authentication
testing
Calendaring
pilot
Radius
concept
MacOSAuthNpilot
AddressesAffiliation
Check Printed
Directory
Directory and Data
• Distinct sources for distinct roles (students, employees, faculty, electronic accounts, etc.)
• Unique identifiers for each system• Blending together to build a CU Person
HRfac/staff;
empID
SISstudent;
SID
FISfaculty;
SSN
Uniquidaccounts;
unix ID
IDcardphotos;
ISO
Telecomphone locn
phone #
CU Person
Student Data
For Identity Matching:- Student ID, Previous ID- Name, Birth date, Gender
For Affiliation Logic, Authorization & Data Access-Enrollment Status, Withdraw Code, Expected Return-Fees Paid Indicator-Privacy Flag
For Directory Publication- Name- Local Address and Telephone- Major(s), Minor(s), College(s)- Class Level
SISRegistry/Directory
(java)
Faculty and Staff Data
For Identity Matching:- Employee Number, SSN- Name, Birth date, Gender
PSHR
Registry/Directory
For Employee and Job Selection- Job status- Employment end date
For Directory Publication- Name- Campus Box and Campus Phone- Job Department(s), Home Department- Job Class Title(s)- Business Title(s)
sql via db link
Campus-Specific Data or Systems
Registry/Directory
TelecomOffice building/room data
FIS Faculty Research and Degree data
ID CardISO and jpeg
UniquidAccount & Email data (person)
(Java)
Registry
personemail
au
job
seealso
pw
cert
activities
research
degree
orgunit
givenname
surname
cn
jobcode
affiliation
org
college
major
ucbemail
exceptions
campus
Registry Logic
Affiliation Building - Students• Enrollment status code = E
• Withdraw code null
• or Expected return date in the future
• Type of student affiliation is based upon Academic Unit– Student (= “Student” affiliation)
– Continuing Ed Credit Student (= “Student” affiliation)
– Continuing Ed Non-Credit Student (= “Affiliate” affiliation)
• Campus Affiliation based upon first character of AU
Registry Logic
Affiliation Building - Employees• Appropriate employment status code• Appointment end date in the future• Type of employee affiliation is based upon Job Code
– Faculty, Clinical Faculty, Research Faculty, Medical Resident, Fellowship/Trainee = “Faculty”
– Student Faculty = “Student” and “Faculty”– Officer/Exempt Professional = “Officer/Professional” & “Staff”– Student Employee = “Affiliate” or “Employee”– Retiree = “Retiree” or “Affiliate”– Staff = “staff”
• Campus Affiliation based upon first character of department code
Registry Logic
Name Building
LastName, FirstName MiddleName FirstName MiddleName LastName
FirstName LastName
LastName FirstName
Watch for II, III, IV, Jr., Sr.Remove spaces in the last name; build another variation
Purpose: To facilitate name searching
Build displayNameuse name associated with primaryAffiliation (employee = HR; student = SIS)use most current version
Directory Build Logic
• Find people in Affiliation Table• Find corresponding records in Job Table
– Select the job data related to affiliation
• Find corresponding records in AU Table– Select the academic unit data related to affiliation
• Find all other tables/data related to the affiliation people (person, name(s), email, etc.)
• Is person in directory? – If yes, modify. If no, create
• Is person in directory no longer affiliated? – If so, delete from directory.
Directory
cndescriptionseeAlsosntelephoneNumberuserPassword
uuidau activities & researchalternateContactcampusdegreeInstitution & YearemploymentStartDateExpertisefeesIndicatorhighestDegreehomeDepartmentISOmajor, minor, classPrivacySID, SSN
cuEduPerson
organizationalPerson
person
inetOrgPerson
o & departmentNumberdisplayName, givenNameemployeeNumberemployeeTypehomePhone,homePostalAddressjpegPhoto & labeledURImail, uidmobile & pagerroomNumberuserCertificate
eduPerson
affiliationjobClassificationnickNameorgDNorgUnitDNprimaryAffiliationprincipalNameschoolCollegeName
facsimileTelephoneNumberouphysicalDeliveryOfficeNamepostalAddressstreet, st, postsalCode, lpostOfficeBoxpreferredDeliveryMethodtitle
Directory Uses – Queries
Directory
Anonymous query controls:-Search based on name & variations (cn)-Server controls “max” returns (80)-Access Controls to ensure: No display of privacy-enacted students No display of employee home phone/address-Public data displayed: Student local phone/address Student major, minor, college, class Faculty/staff office phone/address, title, department Email address, URL
Tomcat/cocoon
WhitePages Address
Book
LDAPquery
Apache
Directory Uses – Applications
Directory
Directory and application extensions:-Authenticated application
-Currently login ID and password-Moving to identikey authN, application-based authZ.
- Access to directory based on application rights- Use standard directory attributes (name, email)- Extend directory attributes (preferences)- Use application-specific attributes (schedule)
Caldb
Calendar
Directory Uses – Authorization
Directory and authorization for services/resources:- Request resource - Authenticate (you are who you say you are)- Authorize (you can do what you want to do)- Determine affiliation (faculty, staff, student, etc.)- Pass affiliation to requested service/resource- Pass additional attributes as needed by application
Loginserver
authN
UserRequest
DigitalService/Resource
Directory
ID Card
(ISO/jpg)
Tele
(bldg/rm)
Directory Structure Phase 2
Data verification
Birthday
Message
Account Mgt
Project
Initiate
Send Mail
project
SponsorCreate
Attributeupdate
Radius
pilot
Identity
Recon.
Directory
Build
UCB
Directory
Calendaring
pilotWhite Pages
RegistryUniquid
SIS
H/R Recon
report
Central(pilot)
Printed
Directory
Authentication
testAuthenticationImplementation
CentralDir.
Affil Ck
EmailAddresses
Project Contacts
• Project Manager, Paula Vaughan Paula.Vaughan@colorado.edu
• Directory Manager, Melinda JonesMelinda.Jones@colorado.edu
• Project Web Pagehttp://www.Colorado.EDU/committees/DirectoryServices/or from the UCB - ITS home page (“About ITS” ž“Projects & Initiatives” ž “Architecture and Infrastructure Initiatives”)
Directory and Data
RegistryUpdateProcess
Student IDNameBirthdateGenderPrivacy FlagLocal AddressLocal PhoneMajor(s)/Minor(s)College(s)Class LevelEnrollment StatusWithdraw CodeAU & TermExpected Return
CUIDlogin nameemail homeemail rewrite addresshome page URL
Identity Matching(SID, EmplID, Name,DOB, Gender)Data creation & updateAffiliation DeterminationCommon Name buildDisplay Name build
Java Extract
Java Extract
PL/SQL
DirectoryBuild
Process
Metamerge & Java ScriptCreate, Update & DeleteUCB AffiliatesDirectory-specific attributes(person, orgperson,inetorgperson, eduPerson,cuEduPerson)
SISCurrent term
enrolled studentsData
PeopleSoft HRFaculty/Staff
currentappointments
Employee IDSSNNameBirthdateGenderOffice AddressOffice PhoneHome DepartmentRoster DepartmentJob ClassBusiness TitleJob Status CodeAppointment End Date
SQL calls
UniquidUCB=ITSaccounts
Registry(Oracle 8.1.7.1)
ExceptionReports
UCBEnterpriseDirectory
Recommended