ITS Documentation
MCommunity Overview
R1457 • October 2009

MCommunity is a new online directory and identity management system for U-M that is currently under development. It is being rolled out in phases. The basic infrastructure was put in place in June 2008. The MCommunity Sponsor System was released to the Information and Technology Services (ITS) Accounts Office in October 2008 and to U-M departments in March 2009. This document describes some of the components of MCommunity and explains how they will be used.

Table of Contents



What Is MCommunity?

MCommunity is a central system that stores information about people that can be used to grant them access to various online resources at both the University and departmental levels. It is a flexible, centralized, identity management system that U-M campuses and units will be able to use in a decentralized way for provisioning information technology resources and services.

It is also what is called an "enterprise directory," which means it will include the entire University enterprise and not just a single department or campus. It will eventually replace the U-M Online Directory. It will also replace current ITS systems for creating and managing uniqnames and for providing computing services.

The main reason for creating MCommunity is to make it possible to provide quick access to the online and physical resources people need when they need them—and to remove that access when they are no longer eligible for it. MCommunity will

  • Provide a directory with better privacy features than the current directory.
  • Provide a directory with accurate, up-to-date information about members of the U-M community.
  • Provide tools that departmental system administrators can use to grant access to—and remove access from—their own departmental information technology resources for people based on departmental roles that they define.
  • Streamline the processes for uniqname creation and UMICH Kerberos password resets.
  • Streamline provisioning of standard computing services.

Why Is It Important?

More and more of what the University does depends on knowing who is and is not a member of the University community. Our current systems are not able to give us complete, real-time information about who is affiliated with the University and in what capacity.

This information is needed for a wide variety of purposes, including

  • Providing immediate access to U-M computing resources to those who are eligible.
  • Removing access to sensitive systems and information from those who leave the University.
  • Identifying specific groups of people—such as those enrolled in a particular program—so they can be given access to resources such as for-fee online publications. Being able to count those people and prove that no one else has that access will help the University to negotiate the best price for such online resources.
  • Identifying people with a particular role at the University so they can be given access to resources specific to their role. Automating that so that when people take on or give up that role, access is automatically adjusted.

What Are the Components of MCommunity?

MCommunity includes several major compnents. Many of the components listed here are described in greater detail later in this document.

  • Underlying Infrastructure. The basic, underlying structure of MCommunity is in place, including the Identity Vault and the data feeds connecting the authoritative data souces. MCommunity has a live feed from M-Pathways, nightly feeds from the Dearborn Banner system via the Dearborn Data Warehouse and the Donor Alumni Constitutient (DAC) database via the DAC Data Warehouse. It also has a weekly feed from the Flint Banner system via M-Pathways. This means that MCommunity is routinely creating entries for faculty, staff, and students on all three campuses, as well as for retirees, alumni, and sponored persons.
  • Sponsor System. The MCommunity Sponsor System is used by the ITS Accounts Office and departmental sponsorship administrators to sponsor university guests and affiliates and obtain uniqnames for them.
  • LDAP Tree. LDAP access to MCommunity data will be provided to U-M system administrators through an LDAP Tree.
  • Directory. The new MCommunity online directory will replace the current U-M Online Directory. For most members of the U-M community, this will be the visible debut of MCommunity.There will be changes in how people look up people and group entries, how they modify their own entries, and how they create and manage groups. There will also be changes in what information is available to the general public and to members of the University community.

    The U-M Online Directory will remain available behind the scenes for some time so that departments who need access to it can continue to use it while they transition their systems to access MCommunity instead.

  • Programmatic access to the Sponsor System for system administrators will be provided through a web service and a command-line utility. Medical Center Information Technology (MCIT) is using a web service that allows Medical Center systems to interact with the MCommunity Sponsor System to set up sponsorships.

  • Departmental Roles. MCommunity will introduce tools that departments can use for departmental roles management.
  • Provisioning. MCommunity will be used for provisioning of ITS's standard computing services, as well as some other campus services. Departmental system administrators will begin to be able to use MCommunity to provision their own information technology services.

Uniqname Creation

Your uniqname is an important part of your identity at U-M. There are a number of procedures for getting a uniqname; the one you use depends on your relationship with the University. Underlying all those procedures is ITS's uniqname system, which creates and manages uniqnames.

MCommunity will take over that work as part of its identity management function.

Uniqnames for Sponsored Affiliates
Authorized U-M employees can use the MCommunity Sponsor System to obtain uniqnames for sponsored affiliates. The system allows for creation of a full online identity, not just a uniqname.
Uniqname Self Registration
Incoming students, staff members hired through the university's online application system, and alumni will continue to select their own uniqnames and UMICH Kerberos passwords via a uniqname self-registration process on the web. The software behind this process will change, but the process itself will be similar to the way it is today.

Current uniqname self-registration web pages:

Programmatic Uniqname Creation
Some U-M units have their own scripts, programs, or systems that interact with ITS's uniqname system to create uniqnames. These will need to be modified to work with MCommunity instead.
ITS and Departmental Interfaces to Uniqname
Systems that currently connect to or interact with ITS's uniqname system will need to transition to working with MCommunity instead. Most, but not all, of these systems are within ITS. ITS will work with the owners of other systems to ensure a smooth transition. After a reasonable transition period, ITS's current uniqname system will be retired.

Sponsor System

The Sponsor System allows authorized University employees to create identities in MCommunity for people who are affiliated with the university but who are not full members of the university community. These people are usually referred to as sponsored affiliates. There are two common reasons for needing such identities:

  1. Preliminary IDs for early access. It is common practice for units to create accounts for incoming faculty members before they officially complete the hiring process and come to the university—that is, before information about them is in the university's Human Resources system. Units do this to provide incoming faculty members with early and needed access to university resources.
  2. IDs for affiliated persons. Units also need to be able to create identities for individuals who are not, and may never be, students, faculty, staff, or alumni—people such as research collaborators, contractors, conference attendees, summer camp attendees, and so on.

For details about the Sponsor System, see MCommunity Sponsor System Overview (R1458).

Identity Vault

The Identity Vault is the heart of the MCommunity system. It stores identity information for people and for groups. Most people won't need to give the Identity Vault a second, or even first, thought. They will simply be aware that MCommunity contains identity information about U-M people and groups.

Information is provided here about the Identity Vault for information technology staff whose systems will interact with MCommunity, administrative staff who need to know what data is available where, and others who are interested.

The part of the Identity Vault that stores data is made up of two parts:

  • Registry. The Registry stores all data received from each of the data sources that feed MCommunity. It's where the raw data is collected and held. The registry may contain multiple records for a single person. If, for example, an individual is a student on the Dearborn campus and an employee on the Ann Arbor campus, information about that individual will be provided to MCommunity both through the employee data feed from M-Pathways (Wolverine access) and the student data feed from Dearborn. All this information will be kept in the registry.

  • Directory. The directory contains consolidated data—a single record for each person. It contains current data only.
Also part of the Identity Vault is software that, following data precedence rules, determines which data goes in the directory when data from different sources conflict. The Identity Vault has software that keeps data synchronized across MCommunity and manages data changes coming in from various places.

A New Online Directory

The MCommunity Directory will eventually replace the U-M Online Directory. You'll still be able to look up people and groups, manage your own MCommunity entry, create and manage e-mail groups, and more—but things will look different in the new directory. For a preview and description of the new directory, see An Overview of the MCommunity Directory Via the Web (R1462).

Departmental Roles Management

University units need to identify populations of faculty, staff, and students based on their university roles. A school might want to identify all the students in a particular program so it can give them access to licensed software or to for-fee online publications, for example. The current directory does not lend itself to this purpose, but MCommunity is being designed to do so.

Basic institutional role information will be included for individuals in MCommunity. This information will be provided by ITS through M-Pathways. Individual schools, colleges, and units may use the institutional roles to grant access to services, or they may wish to customize them with additional criteria.

The MCommunity Governance Board has identified basic institutional roles for use in MCommunity. See the Roles Section of the Governance Board's Recommendations for details.

Departmental Service Provisioning

Departmental system administrators will be able to use MCommunity to provision their own information technology services. For example, they will be able to use it when providing departmental server accounts to new staff. They'll also be able to use it to provide access to licensed online materials and more.

Programmatic Access for Departmental System Administrators

Via the LDAP Tree
MCommunity will include a component designed for system administrators who rely on LDAP access to current directory data for unit systems and applications.

Staff members in many units across the university currently use LDAP command-line tools to work with data in the current directory. LDAP is also used by various services and applications for such things as user authorization. To allow staff to continue to use these tools and systems to appropriately access the data, MCommunity will include an "LDAP Tree"—an LDAP-accessible replica of the directory that is inside the Identity Vault. This will help units make the transition to the new infrastructure with minimal disruption.

The LDAP Tree will also be a resource for people who want to access directory data for their e-mail address books. Some e-mail programs can be configured for LDAP access to directory information.

Identity Management Access
Programmatic access to the identity management component of MCommunity will allow departmental system administrators to align their own systems to interact with MCommunity.
Direct Access to Departmental Data
This access will allow departmental staff to make batch and one-at-a-time changes to their departmental data in MCommunity.

Data Sources for MCommunity

MCommunity's sources for data about people are these:
  • M-Pathways/Wolverine Access (PeopleSoft HEPROD Database). This database is the authoritative source for identity information about

    • Current U-M faculty
    • Current U-M staff
    • Current Ann Arbor campus students

    People who wish to make changes in their official U-M identity information that is stored in M-Pathways may do so using Wolverine Access. MCommunity receives data from this source via a live data feed. Changes made to the data are synchronized with MCommunity in real time. The current U-M Online Directory receives updates from M-Pathways once a week via a batch file.

    Keeping authoritative data authoritative. The current directory allows people to change authoritative data about themselves, such as their staff title, and to disable updates from M-Pathways/Wolverine Access. MCommunity will not allow this. Individuals can make changes to much of the authoritative date about themselves, such as addresses and phone numbers, using Wolverine Access. These changes would then be reflected in real time in MCommunity. MCommunity will provide space for people to indicate informal or more specific titles in addition to the official data.

  • Office of University Development. This office provides identity information for all living alumni via a Data Warehouse. Updates to this information are provided to MCommunity nightly (except for Sunday night). Currently, Development provides updates to the U-M Online Directory once a week. These updates are used only to add the "Alumni" affiliation to entries that already exist in the directory. MCommunity will have more information about alumni than the current directory does.
  • Dearborn Campus. The Dearborn Campus uses a Banner system for its directory of U-M Dearborn students. U-M Dearborn's Information Technology Services staff members are working with the MCommunity Project Team to establish a live data feed between the Dearborn Banner system and MCommunity. A nighly data feed has been set up for now.
  • Flint Campus. The Flint Campus also uses a Banner system for its directory of U-M Flint students. Staff members from U-M Flint Information Technology Services are working with the MCommunity Team to establish a live data feed between the Flint Banner system and MCommunity. A weekly data feed from Flint to M-Pathways to MCommunity has been set up for now.
  • Sponsor System. The MCommunity Sponsor System is used to enter identity information about departmentally sponsored guests and affiliates.

Data about groups will continue to be entered and managed by group owners.

Additional Resources

The MCommunity Project website provides information about the project status, timeline, history, and more.

Visit ITS's Information System to obtain ITS computer documentation and other resources. A list of relevant documents follows:

We welcome your comments; please send e-mail.

ITS's Online Help Desk provides a variety of computing help resources.

Please direct questions about the MCommunity Project to the MCommunity leads at MCommunity.Leads@umich.edu.