Sunday, October 15, 2006

EDUCAUSE2006: Matt Campbell

When Account Management Is Not Enough: Identity at RIT
Matt Campbell, Sr. Infrastructure Engineer, Rochester Institute of Technology

Had many more accounts than students, multiple accounts, not any cleanup. Used SSN since “everyone has one”—- except international students, people who don’t want to give it etc., issued fake starting w/ 999, but people then don’t remember.

What we had to work with: AD, LDAP, Kerberos, Samba, etc. – One user interface (user driven, theoretically kept in sync) but behind the scenes many different accounts

Wanted to do real-time access w/ student system, HR, no ability to have offline update mode (HR people do want this!)

New system: standardized protocols, now soap; switched to subscription model only, sends xml documents that match the subscription for a module: modules in two types, real-time (blocking), pick up modules (non-blocking) – good for antiquated systems (e.g, hr financial, student module) that can’t provide web services, they give up a return of results (he prefers the real time) means keep data around until verified

Duplicate prevention:
Identities are scored based on how well they match new additions, if above threshold, add is denied, very few false positive (usually siblings, spouses)
Affiliation is the most important attribute: student, alumni, employee, library patron: any identity lacking an affiliation is purged from the system, identity system security closely tied to affiliation

Integration w/ acct mgmt: Accts linked to new university id, if remove authorizing affiliation results in removal of the account automatically, allows much more granular account level access restrictions

Deactivate for 6 months before delete account (can’t use during this time)
Technical challenges: duplicate prevention, efficiency. Security, legacy mainframe app integration

Bigger issues: moving requirements target; sample data didn’t represent production data; customers unable or unwilling to modify business processes that result in bad data, data possessiveness: fix this first! People should fix their own data!

Open source: claws released under GPL at claws.rit.edu; subversion; RIT centered at this time, but anxious to take patches, updates from others.

0 Comments:

Post a Comment

<< Home