UCTrust Workgroup
Child pages
  • UCLA HR Payroll and IAM

Current Data Provisioning Overview

Thoughts on HR/PPS Integration

Notes from December 7, 2011 HR/PPS Deep Dive with UCLA

From: Albert Wu
To: UCIDM-L
Subject: UCLA's update from the Oracle HR/PPS deep dive

Hi all,

I am writing to provide a quick update on our conversations with the Oracle consultants during our deep dive session this past Tuesday:

Overall, we reiterated UCTrust's desire to establish a common IDM data provisioning interface. There were several items of interest:

SAML 2 -

Oracle emphasized that the IDP's need to be SAML 2 compliant. UCLA just upgraded to Shibboleth 2/SAML 2, but this requirement may trigger work for some UC campuses.

InCommon Silver -

We discussed the possibility of the HR/PPS project requiring InCommon Silver certification from the IDP's. It seems that they are leaning toward adopting it to satisfy the credentialing/security requirements from the project. That means for wave 1 schools, we have a high priority project on our hands. At the same time, it does provide a convincing use case and an opportunity to collaborate with the functional side to move the project forward.

Data Provisioning -

During our conversation, I heard that Oracle's preference is to establish one master data delivery channel per campus. It is then up to the campus to figure out how to distribute data to the down stream systems. We should follow up with Oracle on this. Besides the fact that systems within our campuses have different abilities to consume data, I am not sure the campuses all have the ability to organize in time to receive data in this manner without making some serious architectural compromises. My worst fear is that Oracle ends up either sending us a massive flat file feed each day, or simply create a massive database to let the campus query. That may be expedient, but probably does little to advance our capability to perform real time data provisioning across the IDM space.

Identity Matching -

During our session, we made it clear that UCLA needs HR/PPS to be able to perform identity record matching and conflict resolution against our IDM system at identity creation time in HR/PPS. UCLA has long had the ability to reconcile student and employee records at ID creation time. We do not wish to lose that ability. Oracle is researching how that might be done.

Medical Center IDM -

This may or may not be unique to UCLA: UCLA Health Sciences has its own IDM practices. Even though nearly 80% of the Health Sciences employees have UCLA Logon IDs (therefore can sign in via Shibboleth), they tend not to think of that ID as their main "SSO" ID. Since everyone is signing in via Shibboleth, we are going to need to work with our Health Sciences HR and IT people to devise a plan to evangelize UCLA Logon ID. For those with Medical Centers, do you have similar issues? Is it time we invite Medical Center IT to UC Trust's discussions on this project?

Albert Wu
UCLA IT Services
albertwu@ucla.edu

  • No labels