EDUCAUSE2006: Matt Campbell
When Account Management Is Not Enough: Identity at RIT
Matt Campbell, Sr. Infrastructure Engineer, Rochester Institute of Technology
Had many more accounts than students, multiple accounts, not any cleanup. Used SSN since “everyone has one”—- except international students, people who don’t want to give it etc., issued fake starting w/ 999, but people then don’t remember.
What we had to work with: AD, LDAP, Kerberos, Samba, etc. – One user interface (user driven, theoretically kept in sync) but behind the scenes many different accounts
Wanted to do real-time access w/ student system, HR, no ability to have offline update mode (HR people do want this!)
New system: standardized protocols, now soap; switched to subscription model only, sends xml documents that match the subscription for a module: modules in two types, real-time (blocking), pick up modules (non-blocking) – good for antiquated systems (e.g, hr financial, student module) that can’t provide web services, they give up a return of results (he prefers the real time) means keep data around until verified
Duplicate prevention:
Identities are scored based on how well they match new additions, if above threshold, add is denied, very few false positive (usually siblings, spouses)
Affiliation is the most important attribute: student, alumni, employee, library patron: any identity lacking an affiliation is purged from the system, identity system security closely tied to affiliation
Integration w/ acct mgmt: Accts linked to new university id, if remove authorizing affiliation results in removal of the account automatically, allows much more granular account level access restrictions
Deactivate for 6 months before delete account (can’t use during this time)
Technical challenges: duplicate prevention, efficiency. Security, legacy mainframe app integration
Bigger issues: moving requirements target; sample data didn’t represent production data; customers unable or unwilling to modify business processes that result in bad data, data possessiveness: fix this first! People should fix their own data!
Open source: claws released under GPL at claws.rit.edu; subversion; RIT centered at this time, but anxious to take patches, updates from others.
Matt Campbell, Sr. Infrastructure Engineer, Rochester Institute of Technology
Had many more accounts than students, multiple accounts, not any cleanup. Used SSN since “everyone has one”—- except international students, people who don’t want to give it etc., issued fake starting w/ 999, but people then don’t remember.
What we had to work with: AD, LDAP, Kerberos, Samba, etc. – One user interface (user driven, theoretically kept in sync) but behind the scenes many different accounts
Wanted to do real-time access w/ student system, HR, no ability to have offline update mode (HR people do want this!)
New system: standardized protocols, now soap; switched to subscription model only, sends xml documents that match the subscription for a module: modules in two types, real-time (blocking), pick up modules (non-blocking) – good for antiquated systems (e.g, hr financial, student module) that can’t provide web services, they give up a return of results (he prefers the real time) means keep data around until verified
Duplicate prevention:
Identities are scored based on how well they match new additions, if above threshold, add is denied, very few false positive (usually siblings, spouses)
Affiliation is the most important attribute: student, alumni, employee, library patron: any identity lacking an affiliation is purged from the system, identity system security closely tied to affiliation
Integration w/ acct mgmt: Accts linked to new university id, if remove authorizing affiliation results in removal of the account automatically, allows much more granular account level access restrictions
Deactivate for 6 months before delete account (can’t use during this time)
Technical challenges: duplicate prevention, efficiency. Security, legacy mainframe app integration
Bigger issues: moving requirements target; sample data didn’t represent production data; customers unable or unwilling to modify business processes that result in bad data, data possessiveness: fix this first! People should fix their own data!
Open source: claws released under GPL at claws.rit.edu; subversion; RIT centered at this time, but anxious to take patches, updates from others.
0 Comments:
Post a Comment
<< Home