User Provisioning Project - Report to the ITLC - 9/28/2010
On March 24, 2010, Jim Davis, as chair of UC's IT Leadership Council, requested that the ITAG produce a report for the ITLC containing the following:
- After reviewing the ITLC's "Issues a Common Middleware would Attempt to Address", the ITAG should recommend a specific middleware platform / approach to evaluate and pilot.
- ITAG should then consider various projects / initiatives that could serve as a pilot for the middleware platform / approach and subsequently recommend a specific project (or a limited number of projects) for the ITLC's consideration. The ITAG should feel free to reach out to the ITLC (and other campus stakeholders) for ideas relating to potential projects / initiatives.
- As ITAG prepares recommendations for a middleware platform and pilot project, it should also consider and present thoughts/observations relating to the resources that might be required to complete a successful pilot.
A planning group was formed in June to address these issues. The membership represents ITAG, the UCTrust Work Group, and the ITLC's project management office:
- Arlene Allen, UCSB
- Dede Bruno, UCOP
- Mary Doyle, UCSC
- Max Garrick, UCI
- David Walker, UCD
- Albert Wu, UCLA
The Proposal
We propose the design, development and implementation of an infrastructure that provides multi-campus applications with identity information about their users from any UC location. The first two such applications might be:
- the addition of UCSB to the UCLA administrative services currently used by UCOP and UCM and,
- ServiceNow.com, assuming a forthcoming UC-wide agreement
As illustrated in [User Provisioning Use Cases|ucprovisioning:User Provisioning Use Cases], this infrastructure addresses a pain point that has plagued nearly every UCTrust-integrated application: the need to create records within the application for the authorized users. The Connexxus travel booking system and the SumTotal training management system are both examples of applications that could have benefited from this project. By implementing now, we curb the continued proliferations of ad hoc user data provisioning solutions in the applications that might be deployed as part of the Regents' administrative efficiency initiative.
A high-level technical and organizational design of this infrastructure is presented in User Provisioning High-Level Design. We also present the High-Level User Provisioning Project Tasks required to build this infrastructure, including
- completion of detailed design and project planning documents,
- implementation of common software, and
- deployment of that common software at each UC location.
As can be seen in High-Level User Provisioning Project Tasks, we anticipate completion of the first two phases of this project in 15 months to develop and deploy the software at the first two campuses, assuming 7 FTE can be assigned to the project. For the third phase, we estimate that each remaining campus will require 1-3 FTE over a period of 8 months, depending on the specifics of that campus's existing identity management infrastructure and other local choices made.
We have structured the third phase of this project to enable the remaining campuses to deploy the software according to their local needs. However, given the time and resource required, we encourage adoption of this strategy sufficiently before any anticipated projects that would require it to be in place.
There should be gating checkpoints at the ends of the first two phases to report progress to the ITLC and obtain approval to continue with the next phase. The ITLC Project Office should manage this project, once it has been approved by the ITLC to move forward. The project will continue to be governed by the ITLC, although the final selection of the middleware suite and review of the gating checkpoints should involve endorsement by the ITAG.