|
Introduction to MCommunity
MCommunity is a new online directory and identity management system for U-M that is currently under development. It will be rolled out in phases beginning in June 2008. This document describes some of the components of MCommunity, explains how they will be used, and tells what will be available when.
Table of Contents
What Is MCommunity?
MCommunity is a central system that will store information about people that can be used to grant them access to various online resources at both the University and departmental levels. It is a flexible, centralized, identity management system that U-M campuses and units will be able to use in a decentralized way for provisioning information technology resources and services.
It is also what is called an "enterprise directory," which means it will include the entire University enterprise and not just a single department or campus. It will eventually replace the U-M Online Directory. It will also replace current ITCS systems for creating and managing uniqnames and for provisioning Basic Computing Package services.
The main reason for creating MCommunity is to make it possible to provide quick access to the online and physical resources people need when they need them—and to remove that access when they are no longer eligible for it. MCommunity will
- Provide a directory with better privacy features than the current directory.
- Provide a directory with accurate, up-to-date information about members of the U-M community.
- Provide tools that departmental system administrators can use to grant access to—and remove access from—their own departmental information technology resources for people based on departmental roles that they define.
- Streamline the processes for uniqname creation and UMICH Kerberos password resets.
- Streamline provisioning of Basic Computing Package services.
Why Is It Important?
More and more of what the University does depends on knowing who is and is not a member of the University community. Our current systems are unable to give us real-time information about who is affiliated with the University and in what capacity.
This information is needed for a wide variety of purposes, including
- Providing immediate access to U-M computing resources to those who are eligible.
- Removing access to sensitive systems and information from those who leave the University.
- Identifying specific groups of people—such as those enrolled in a particular program—so they can be given access to resources such as for-fee online publications. Being able to count those people and prove that no one else has that access will help the University to negotiate the best price for such online resources.
- Identifying people with a particular role at the University so they can be given access to resources specific to their role. Automating that so that when people take on or give up that role, access is automatically adjusted.
When Will It Be Available?
MCommunity is being developed and rolled out in stages. Each component of the system listed here is described in greater detail later in this document.
June 2008
The basic, underlying structure of MCommunity will be in place by June 2008, including the Identity Vault and the data feeds connecting the primary authoritative data souces. The Sponsor System will be available, but the new directory itself will not yet be visible to the University community.
Data in the U-M Online Directory will be synchronized with the data in MCommunity. This may necessitate some minor changes in how data in the directory is displayed. More information will be provided here as those details are
finalized.
December 2008
The new MCommunity online directory will replace the current U-M Online Directory in December 2008. For most members of the U-M community, this will be the visible debut of MCommunity.
There will be changes in how people look up people and group entries, how they modify their own entries, and how they create and manage groups. There will also be changes in what information is available to the general public and to members of the University community.
The U-M Online Directory will remain available behind the scenes for some time so that departments who need access to it can continue to use it while they transition their systems to access MCommunity instead.
LDAP access to MCommunity data will be provided to U-M system administrators through an LDAP Tree.
Spring 2009
MCommunity will introduce tools that departments can use for departmental role management.
Summer 2009
Departmental system administrators will be able to use MCommunity to provision their own information technology services.
Uniqname Creation
Your uniqname is an important part of your identity at U-M. There are a number of procedures for getting a uniqname; the one you use depends on your relationship with the University. Underlying all those procedures is ITCS's uniqname system, which creates and manages uniqnames.
MCommunity will take over that work as part of its identity management function.
Uniqnames for Sponsored Affiliates
Authorized U-M employees will be able to use MCommunity to obtain uniqnames for sponsored affiliates. The Sponsor System component of MCommunity will allow for creation of a full online identity, not just a uniqname, that can be used for service provisioning.
The Sponsor System will provide three ways of getting uniqnames:
- Staff member requests. Staff members will enter identity information into MCommunity to obtain a uniqname and UMICH Kerberos password, which they will then provide to the sponsored affiliate.
- Requests for lists of short-term uniqnames. Staff members can provide lists of conference or summer camp attendees and obtain lists of short-term-use uniqnames to distribute to those people.
- Self-registration invitation to the sponsored affiliate. Staff members will enter identity information into MCommunity, and MCommunity will send an e-mail message inviting the sponsored affiliate to visit a website to select a uniqname and UMICH password. This option will not be ready when the Sponsor System is introduced in June 2008. It will likely be added in December 2008.
Currently, staff members use webuniq or the uns command-line tool to create uniqnames for sponsored affiliates. With MCommunity, they will use the Sponsor System to create sponsored identities with uniqnames.
Uniqname Self Registration
Incoming students, staff members hired through the University's online application system, and alumni will continue to select their own uniqnames and UMICH Kerberos passwords via a uniqname self-registration process on the web. The software behind this process will change, but the process itself will be similar to the way it is today.
Current uniqname self-registration web pages:
Programmatic Uniqname Creation
Some U-M units have their own scripts, programs, or systems that interact with ITCS's uniqname system to create uniqnames. These will need to be modified to work with MCommunity instead.
ITCS and Departmental Interfaces to Uniqname
Systems that currently connect to or interact with ITCS's uniqname system will need to transition to working with MCommunity instead. Most, but not all, of these systems are within ITCS. ITCS will work with the owners of other systems to ensure a smooth transition. The transition will likely begin somewhere around June 2008, when MCommunity will be capable of creating and managing uniqnames. Decommissioning of ITCS's current uniqname system is tentatively scheduled for somewhere around March 2009.
Sponsor System (June 2008)
The Sponsor System will allow authorized University employees to interactively and programmatically create identities in MCommunity for people who are affiliated with the University but who are not full members of the University community. These people are usually referred to as sponsored affiliates. There are two common reasons for needing such identities:
- Preliminary IDs for early access. It is common practice for units to create accounts for incoming faculty members before they officially complete the hiring process and come to the University—that is, before information about them is in the University's Human Resources system. Units do this to provide incoming faculty members with early and needed access to University resources.
- IDs for loosely affiliated persons. Units also need to be able to create identities for individuals who are not, and may never be, students, faculty, staff, or alumni—people such as research collaborators, contractors, conference attendees, summer camp attendees, and so on.
Currently, units meet the needs of sponsored affiliates by obtaining uniqnames for them, either from the ITCS Accounts Office or from authorized individuals throughout the Unversity called uniqname administrators.
When the Sponsor System is introduced in June 2008, Accounts Office staff and uniqname administrators will be able to use it to
- Create identities for sponsored affiliates.
- Request uniqnames for the affiliates. By December 2008, they will also be able to request that the system invite sponsored affiliates to select their own uniqnames.
- Set start and end dates for their sponsorships of those individuals.
For details about the Sponsor System, see Introduction to the MCommunity Sponsor System (R1458).
Identity Vault (June 2008)
The Identity Vault is the heart of the MCommunity system. It will store identity information for people and for groups. Most people won't need to give the Identity Vault a second, or even first, thought. They will simply be aware that MCommunity contains identity information about U-M people and groups.
Information is provided here about the Identity Vault for information technology staff whose systems will interact with MCommunity, administrative staff who need to know what data is available where, and others who are interested.
The part of the Identity Vault that stores data will be made up of two parts:
- Registry. The Registry will store all data received from each of the data sources that feed MCommunity. It's where the raw data is collected and held. The registry may contain multiple records for a single person. If, for example, an individual is a student on the Dearborn campus and an employee on the Ann Arbor campus, information about that individual will be provided to MCommunity both through the employee data feed from Michigan Administrative Information Services (MAIS) and the student data feed from Dearborn. All this information will be kept in the registry.
- Directory. The directory will contain consolidated data—a single record for each person. It will contain current data only.
Also part of the Identity Vault will be software that, following data precedence rules, will determine which data goes in the directory when data from different sources conflict. The Identity Vault will have software that keeps data synchronized across MCommunity and manages data changes coming in from various places.
A New Online Directory (December 2008)
The web interface to the U-M Online Directory will be replaced by a new web interface to MCommunity in December 2008. You'll still be able to look up people and groups, manage your own entry, create and manage e-mail groups, and more—but things will look different.
Details about what directory information should or should not be visible and to whom are being decided by the MCommunity Governance Board, a group with representatives from across the University community. The group prepared general recommendations to guide the use of data in MCommunity and continues to meet regularly to refine those ideas as MCommunity takes shape.
People Entries
When the current U-M Online Directory was created, Internet culture encouraged open sharing of information. Since that time, awareness has increased of the need to protect the privacy of personal identity information. Our peer institutions no longer display as much data about members of their communities as we do.
MCommunity will allow the University to provide varying levels of access to directory information. Those who log in to MCommunity will be able to see more information than the general public, for example.
Privacy of Personal Information. Whereas the current directory publishes home addresses and phone numbers unless individuals request otherwise, MCommunity will reverse this. Home addresses and phone numbers will not be published unless individuals request that they be made public.
Keeping Public Information Public. University employees will no longer be able to change or remove their official job titles as they can today. Space will be provided for individuals to provide a more specific or informal title in addition to their official title if they wish.
See the Governance Boards's recommendations regarding General Visibility of Person Attributes for details.
Groups
MCommunity will provide for group creation and management, but the tools for doing this will likely look different from the group-management tools in the current directory. Current groups will be moved from the U-M Online Directory to MCommunity. Details for groups in MCommunity have not yet been worked out. When they are, more information will be provided here.
Departmental Roles Management (Spring 2009)
University units need to identify populations of faculty, staff, and students based on their University roles. A school might want to identify all the students in a particular program so it can give them access to licensed software or to for-fee online publications, for example. The current directory does not lend itself to this purpose, but MCommunity is being designed to do so.
Basic institutional role information will be included for individuals in MCommunity. This information will be provided by MAIS through M-Pathways. Individual schools, colleges, and units may use the institutional roles to grant access to services, or they may wish to customize them with additional criteria.
The MCommunity Governance Board has identified basic institutional roles for use in MCommunity. See the Roles Section of the Governance Board's Recommendations for details.
Departmental Service Provisioning (Summer 2009)
Departmental system administrators will be able to use MCommunity to provision their own information technology services. For example, they will be able to use it when providing departmental server accounts to new staff. They'll also be able to use it to provide access to licensed online materials and more.
Programmatic Access for Departmental System Administrators
Via the LDAP Tree (December 2008)
MCommunity will include a component designed for system administrators who rely on LDAP access to current directory data for unit systems and applications.
Staff members in many units across the University currently use LDAP command-line tools to work with data in the current directory. LDAP is also used by various services and applications for such things as user authorization. To allow staff to continue to use these tools and systems to appropriately access the data, MCommunity will include an "LDAP Tree"—an LDAP-accessible replica of the directory that is inside the Identity Vault. This will help units make the transition to the new infrastructure with minimal disruption.
The LDAP Tree will also be a resource for people who want to access directory data for their e-mail address books. Some e-mail programs can be configured for LDAP access to directory information.
Identity Management Access (Spring 2009)
Programmatic access to the identity management component of MCommunity will allow departmental system administrators to align their own systems to interact with MCommunity.
Direct Access to Departmental Data
This access will allow departmental staff to make batch and one-at-a-time changes to their departmental data in MCommunity.
Data Sources for MCommunity
MCommunity will receive data about people from the following sources:
- M-Pathways (PeopleSoft HEPROD Database). This MAIS database is the authoratative source for identity information about
- Current U-M faculty
- Current U-M staff
- Current Ann Arbor campus students
People who wish to make changes in their official U-M identity information that is stored in M-Pathways may do so using Wolverine Access. MCommunity will receive data from this source via a live data feed. Changes made to the data will be synchronized with MCommunity in real time. The current U-M Online Directory receives updates from M-Pathways once a week via a batch file.
Keeping authoritative data authoritative. The current directory allows people to change authoritative data about themselves, such as their staff title, and to disable updates from M-Pathways. MCommunity will not allow this. Individuals can make changes to much of the authoritative date about themselves, such as addresses and phone numbers, using Wolverine Access. These changes would then be reflected in real time in MCommunity. MCommunity will provide space for people to indicate informal or more specific titles in addition to the official data.
- Office of University Development. This office will provide identity information for all living alumni via the Data Warehouse that MAIS maintains. Updates to this information will be provided to MCommunity once each day. Currently, Development provides updates to the U-M Online Directory once a week. Current updates are used only to add the "Alumni" affiliation to entries that already exist in the directory. MCommunity will have more information about alumni than the current directory does.
- Dearborn Campus. The Dearborn Campus uses a Banner system for its directory of U-M Dearborn students. U-M Dearborn's Information Technology Services staff members are working with the MCommunity Project Team to figure out how to provide a live data feed between the Dearborn Banner system and MCommunity. The current directory receives data from Dearborn once a week.
- Flint Campus. The Flint Campus also uses a Banner system for its directory of U-M Flint students. Flint students are not included in the U-M Online Directory. Staff members from U-M Flint Information Technology Services have been invited to participate in the MCommunity Project and have attended several meetings related to early testing of the system. It is hoped that work done on the data feed between MCommunity and the Dearborn Banner system can be used to make establishing a data feed between MCommunity and the Flint Banner system easier.
Data about groups will continue to be entered and managed by group owners.
Additional Resources
The MCommunity Project website provides information about the project status, timeline, history, and more.
Visit ITCS's
Information System to obtain ITCS computer documentation
and other resources. A list of relevant documents follows:
We welcome your comments; please send e-mail.
ITCS's Online Help Desk provides a variety of computing help resources.
Please direct questions about the MCommunity Project to the MCommunity leads at MCommunity.Leads@umich.edu.
|