University of Michigan MCommunity Project

Liz Salley (salley@umich.edu)Product Manager, Michigan Administrative Information

ServicesLuke Tracy (ltracy@umich.edu)

MCommunity Co-Technical Lead, Information Technology Central Services

http://www.itcs.umich.edu/mcommunity/

11

Project Overview• Who’s in, who’s out. MCommunity will allow the University to know who is

and is not a member of the U-M community so that central University offices, departments, schools, colleges, and campuses can grant and remove access to online resources as needed and appropriate.

• Managed data for managed access. It will provide identity management, roles management, data sharing and reconciliation, and directory services for U-M. It will bring together data from multiple institutional sources and will organize, present, and secure the data in a way that is particularly well suited to managing access to University resources.

• A collaborative effort. Planning for, and development of, MCommunity is a collaborative effort across U-M IT units and across the many units that will use the new system.

22

Project Overview• One-stop directory shop. MCommunity will provide units and end users

with a "one-stop directory shop" for provisioning of services, access control, and directory-enabled applications.

• Robust tools. It will provide a robust set of tools that include/enable:– Identity and life-cycle management– Real-time provisioning of central IT resources– Real-time provisioning of local IT resources– Clearly defined and documented programming interfaces– Auditing system– Integrated workflow

33

MCommunity Project Architecture

44

MCommunity Project Architecture• Live data feed from Human Resources and main campus Student System of

Record.• Nightly updates from remote campus Student Systems of Record.• Nightly updates from Development/Alumni System of Record.• New Sponsor System for creating and managing identities for sponsored

affiliates, people who are affiliated with the University but who do not appear in any of the official University Systems of Record.– Sponsored affiliates include, for example, conference attendees,

contractors, incoming faculty who need access to U-M resources before the hiring process is complete, and others.

– Support for both strong and weak identities.• All person data from above systems fed into a secure person registry.

55

MCommunity Project Architecture• Inside the person registry. Real-time identity matching and reconciliation,

institutional data precedence rules, data normalization, regulatory privacy policy, and identity lifecycle processing occurs in the person registry.

• Exception handling. Workflow system is utilized for exception handling.• In real time. Distilled identities are populated and maintained in the

directory in real-time.• In the directory. Institutional Roles, User Groups, Departmental Roles, and

departmental attributes exist in the directory.• One stop for IT provisioning. Directory functions as the one-stop directory

shop for IT provisioning.

66

MCommunity Project Architecture• Real-time bi-directional provisioning tools facilitate central and

departmental IT provisioning.• Full LDAP access provided through a replica of the directory to facilitate

business-rule verification prior to committal to directory.• All components of MCommunity are instrumented for central auditing and

logging, enabling event correlation and incident response.

77

MCommunity 2009 TimelineEarly 2009• The new MCommunity online directory will be made available• Programmatic access to the Sponsor System• LDAP access to MCommunity for U-M system administrators • Uniqname self-registration for sponsored affiliatesMid 2009• MCommunity departmental roles managementLate 2009• ITCS will begin to use MCommunity to provision its Basic

Computing Packagehttp://www.itd.umich.edu/mcommunity/roadmap/

88

MCommunity 2009 TimelineEarly 2009 (con’t)• The new MCommunity online directory will be made available.

For most members of the U-M community, this will be the visible debut of MCommunity. There will be changes in how people look up people and group entries, how they modify their own entries, and how they create and manage groups. There will also be changes in what information is available to the general public and to members of the University community.

• The U-M Online Directory will remain available behind the scenes for some time so that departments can transition their systems to access MCommunity instead.

99

MCommunity 2009 TimelineEarly 2009 (con’t)• Programmatic access to the Sponsor System will allow

units to begin to transition their applications that interact with uniqname now to working with MCommunity. This access will likely be provided via a consumable web service. Command-line access will also be provided.

• LDAP access to MCommunity will be made available to U-M system administrators.

1010

MCommunity 2009 TimelineEarly 2009 (con’t)• Uniqname self-registration for sponsored affiliates will

be added to the Sponsor System. This will allow sponsored individuals to select a uniqname and password themselves via a web interface. This will be similar to the uniqname self-registration process already available to new staff, new Ann Arbor students, and alumni. Minor changes to the uniqname self-registration process for staff and students may be required.

1111

MCommunity 2009 TimelineMid 2009• MCommunity will introduce a tool that departments can use

for departmental role management in MCommunity. Late 2009• ITCS will begin to use MCommunity to provision its Basic

Computing Package, as well as some other campus services. After that, MCommunity will offer a way for departments to do their own service provisioning through MCommunity.

1212

Questions?

1313