Executive Summary
For approximately 20 years the University of Michigan has provided its users with the ability to create and manage groups, which are used for a wide variety of purposes. The University currently manages 85,000 groups through its enterprise MCommunity directory . After such a long period of time, and especially given the current social climate of increased sensitivity to information privacy, we find it necessary to reevaluate the best way of providing group management capabilities to our users. Ultimately, we would like to provide our users with a rich set of groups, created using dynamic, automated processes, which can securely authorize access to applications, enable email delivery, etc.
A primary project goal is to determine the best methodology for providing these services using Grouper. We plan to pilot several University use cases to manage departmental groups used for both access control and mail to explore and evaluate the Grouper product.
Organization Description
The birthplace of the Lightweight Directory Access Protocol (LDAP) and the OpenLDAP server software, “the University of Michigan is a public research university with a primary campus and academic medical center (Michigan Medicine) located in Ann Arbor, Michigan, and two satellite campuses in Flint and Dearborn. The 19 schools and colleges on the Ann Arbor campus offer 250 degree programs and comprise 44,000 students; 7,000 faculty members; and 14,000 staff. According to the latest national data, the U-M spends more on research--$1.39 billion in FY2016--than any other U.S. public university. U-M's graduate programs include 99 appearing on the top ten list of the U.S. News & World Report (4th nationally).
For the most part, identity and access management services at the University of Michigan are provided by two teams:
- The Line of Business team, which is responsible for the development of IAM applications and services. The assistant director of the IAM Line of Business team reports to the executive director of Information Assurance.
- The Operations team, which is responsible for the production support of IAM applications and services. The manager of the IAM Operations team reports to the Data Engineering Manager of Infrastructure Services.
Containerized TIER Component(s) to be implemented
- Grouper Access Management Software
Short Management-Level Use Case Description of Your Project
Today, the University of Michigan does not have a tool to allow people across the University to easily create and manage groups from centrally-maintained identity attributes. We want to empower the people responsible for the membership of a group to manage their group access.
The creation of many U-M groups used for simple purposes today is done manually but could be 99% data-driven. We want to be able to remove as much manual labor around group membership management as possible. In addition, we are interested in optimizing Grouper’s processing of data so it performs as close to real-time as possible.
We are currently unable to distinguish between MCommunity groups used for access control v. email. Using Grouper, we hope to better understand and track group usage and be able to operate more efficiently. We will avoid sending groups to Google and Box that will not be used there. We can put processes into place around access control groups to better monitor ownership and usage.
We will implement Grouper and explore Grouper functionality as a solution by piloting University use cases. The first group of use cases will involve the creation of departmental groups comprised of staff members used for both mail and access control. The goals for this initial effort are:
Learn how to organize building block groups to establish useful group patterns.
Create groups which are 99% data driven; remove manual effort.
Optimize the processing of the Grouper so it performs as close to real-time as possible.
Better understand how to create and manage groups for service access control v. email
Empower the right people to manage group membership; test Grouper as a tool for everyday end users.
As we build upon our initial successes with Grouper, we plan to address more use cases across the University.
Scope
Our participation in the program will result in the following outcomes:
Installing long-term use Grouper infrastructure within our development, quality assurance, and production application environments.
Learning how to best organize groups for an institution the size of the University of Michigan.
Optimizing the processing of the Grouper product so that it performs as close to real-time as possible, similar to our current identity management system.
Of particular interest to us, employing data mining and exploration techniques to create Grouper loader configurations.
Formulating general and specific scenarios in which Grouper can complement and supplement a commercial roles and access management system.
Piloted departmental group use cases in Grouper will be operational in a production environment.
Key Stakeholders
| Sponsor | Kelli Trosvig Vice President and Chief Information Officer Information and Technology Services University of Michigan |
| Project team members | Liam Hoekenga, Project Lead & Application Developer Senior Jack Steward, IAM Solutions Architect Aimee Lahann, Project Manager Kyle Cozad, Business Systems Analyst Jeanne Horvath, Identity and Access Management Technical Resource Manager |
| Deployment Partners/Contractors | Unicon |
Project Milestones
TBD
Synergistic Projects
EIAM Program
The University has entered into the Enterprise Identity and Access Management (EIAM) Program, a multi-year project which will establish the University’s first-ever comprehensive identity and access management strategy, with the goal of making “it easier for the U-M community and collaborators around the globe to get the right access to systems and information at the right time.” 2 For more information, please see the following web site: http://cio.umich.edu/eiam-program/about
One workstream of the EIAM Program is to address the University’s lack of a coordinated approach to roles and access management. The outcomes of the Role and Access Management Project (RAMP) are to select a vendor for a commercially available roles and access management product and to implement it. The RAMP team solicited a Request for Proposals (RFP) for a roles and access management product in summer 2017. A product will be chosen and a vendor will be selected in fall 2017. A pilot implementation of the product is scheduled to begin in winter 2018.
It is the stated direction of IAM leadership that Grouper will augment the services provided by the product chosen by the RAMP team. As Grouper and the RAMP product are implemented, the IAM team will begin to learn the best uses of each tool at the technical and business levels. Most assuredly, the relationship between the applications will evolve over time. Nevertheless, documenting the application relationships so that duplication is avoided will be critical, and is a stated outcome of this proposal. What we learn, both during and after the project, will be shared with TIER.
While the projects share some commonalities, the Grouper evaluation will fall outside the scope of the EIAM Program.
School of Information Research Study
During the fall 2017 term, the Identity and Access Management team will work with a class in the School of Information to conduct a research study of how groups are used at the University. This study will provide us with valuable data that can be used to drive how we employ the Grouper product.
Constraints, Assumptions, Risks and Dependencies
| Constraints | TBD |
| Assumptions | TBD |
| Risks and Dependencies | TBD |
Training & Support Needs
Although the University of Michigan has performed some preliminary implementation and testing of Grouper, it still has limited experience with the product. The University sees the principal benefit of entering into the TIER Campus Success Program 2017 as being able to learn from seasoned experts about how to best use Grouper. We sincerely want to gain as much experience as we can from these experts to achieve the outcomes described above.
The resources allocated to the project are all seasoned software application analysts and developers with extensive knowledge of the field of identity and access management. While all developers have a knowledge of DirXML-Script, Perl, Python, and various other scripting and application development languages, they have varying levels of experience with Java, from rudimentary to proficient. Expert Java experience is available on the IAM team, but will likely not be allocated to this project. Members of the pilot may need to reach out to resources provided through the TIER Campus Success Program 2017 for assistance with Grouper-specific Java application development.
The University will allocate three resources to the TIER Campus Success Program 2017. During and after the pilot, those resources will train other University of Michigan IAM team members on Grouper functionality. They will create a implementation guide, as described above, and disseminate it to the TIER Campus Success Program 2017 proposal evaluation committee, the Big Ten Academic Alliance, and InCommon member institutions.