Versions Compared

Old Version 4

changes.mady.by.user Jessica Fink

Saved on

compared with

New Version Current

changes.mady.by.user Jessica Fink

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Problem

The University of North Carolina at Chapel Hill saw the need for an improved and extensible provisioning system to control access to a variety of resources. Specifically, the identity team was looking for faster and easier integration of new resources. In addition, campus stakeholders

Executive Summary

UNC Chapel Hill had a very targeted goal of expanding provisioning on their campus and a plan to use midPoint to do it. One member of their team had significant experience with the structure and politics of the university as well as experience working within the InCommon community, so the team was able to scope their project to a reasonably small set of additional functionality. As a large research university with a hospital, their main challenges were around ensuring they understood and met the security requirements as well as collaborating effectively with other teams on campus. The team was able to meet their goals for the project and are running midPoint in production.

Solution Summary

Track: Lifecycle Management

Trusted Access Platform Components: midPoint, COmanage

Project Team: Ethan Kromhout (UNC Chapel Hill), Jan Tax  (UNC Chapel Hill), Shumin Li  (UNC Chapel Hill), Chad Redman  (UNC Chapel Hill), Celeste Copeland  (UNC Chapel Hill), Paul Caskey (Internet2), Keith Hazelton (Internet2), enhanced access to Evolveum was critical

The Environment: Large R1 university with a large health sciences program and hospital, therefore the security posture tends to be robust and there are some requirements for security environment that other schools might not need to deal with

Benefits to Organization: 

...

have repeatedly sought a solution to centralized provisioning and deprovisioning,

...

enabling them to add and remove local accounts.

...

Such a solution would eliminate the need for manual requests and the related delays.

As a large research university with a hospital, it would be paramount to understand the security requirements and ensure the new solution would meet those requirements. The project would also require effective collaboration with campus stakeholders.

The Solution

Given the time frame for the CSP, the identity team chose to scope the solution to implementing midPoint as a provisioning engine to help provide and control access to Google suite applications

...

The Project

Problem Statement:

UNC needs an extensible provisioning engine that can be used for an array of resource targets. We also need to provision G Suite and Google Cloud Platform (GCP) for campus groups.

Impact Statement:

For the Identity Team, faster and easier integration of new provisioning resource targets. For campus affiliates, automated access to provisioned resources without manual requests and approval delays.

Scale and Scope: The provisioning . During the CSP, the provisioning capability will be limited to central IT evaluation and use during the CSP phase of the project. The scale is expected to be limited to central IT and users and groups closely engaged with central IT.

The Solution

midPoint was chosen because of its We will be  implementing midPoint as a provisioning engine during this project as it has wide adoption in the Collaboration Success Program (CSP) cohort, and because it is easily extensible via open source connectors. Support In addition, support for midPoint is available from CSP SMEs, subject-matter experts, Evolveum (the vendor), consulting agencies, and peers. midPoint will be used in conjunction with Grouper to manage access to the Google applications and GCP.

The

...

Initial Plan:

Project Plan / Roadmap: November 30th 2019

Internal Communications Plan: January 15th 2020

Sandbox: December 15th 2019

MVP: March 15 2020

Actual Implementation:

The project went reasonably well, because the project plan and roadmap was successful, but the structured communication plan didn't happen. Completion of the sandbox environment was two weeks late due to delays in support from other internal groups, but it was up by 2020.

One delay was that we needed to learn what all was needed for security assessment. It was expected that it would be a lot and take a while,, but took even longer than expected.

Conclusions & Lessons Learned

Original Success Metrics:

team also planned to gain an understanding of the capabilities of COmanage for possible use for some guest management purposes.

The Result

The project team successfully installed and configured midPoint as a provisioning engine, running in its standard operations matrix for enterprise applications. They met all but one of the goals developed at the outset of the CSP:

  • Instantiate a A production instance of the provisioning engine, managed by the identity management group, and running in our the standard operations matrix for enterprise applications.
  • Publishing of Publish groups in our the production G Suite tenant based on authorized groups in Grouper, and via the new provisioning enginemidPoint.
  • Association of Associate GCP permissions with the G Suite groups above.
  • Gain understanding of COmanage capabilities and overlap with other InCommon Trusted Access Platform components.Recommendation

The one goal that was not met was the development of a recommendation document for the CIO on

...

using COmanage for some

...

guest management and invitation flows

...

.

The team also spent considerable time thinking about internal collaborations and how the COVID-19 pandemic changed the way they did their work. In-person collaborative troubleshooting did not translate well to remote work and Zoom meetings, where it is easier to multitask and lose focus. 

Overall, the project team felt the scope was about right, given competing demands on time. 

Lessons Learned

  • The project team thought a lot about internal collaborations; specifically the impact of COVID-19 and the lack of in-person brainstorming and troubleshooting sessions.
  • The narrow scope of the project was about right, given the time and resources available.
  • It was extremely helpful to have a team member with 10 years of experience at UNC and a knowledge of internal hierarchies, and who is also heavily involved with the development of the InCommon Trusted Access Platform. 

About the University of North Carolina at Chapel Hill

The University of North Carolina at Chapel Hill is a public research university in Chapel Hill, North Carolina. The flagship of the University of North Carolina system, it also operates a large health sciences program and medical center.

Project Team: Ethan Kromhout (UNC Chapel Hill), Jan Tax  (UNC Chapel Hill), Shumin Li  (UNC Chapel Hill), Chad Redman  (UNC Chapel Hill), Celeste Copeland  (UNC Chapel Hill), Paul Caskey (Internet2), Keith Hazelton (Internet2), enhanced access to Evolveum was critical

...

Conclusions and Lessons Learned

We did pretty well on most of the success metrics until the last one which didn’t happen. All of the big ones were met and we are running, everything in production.

The project required us to think a lot about internal collaborations, and we struggled with how to keep this a team effort within UNC. It easy and counterproductive for people to work on their own, especially with the work from home with COVID that happened at the end. The team collaborative work sessions with goals on what to do went really well & were longer than expected. On campus we had a large screen with one person typing, and the team did collaborative troubleshooting, However, this didn't translate well to remote work, it is much easier to multitask on a Zoom call and lose focus than in a room with other people.

The scope of the project was about right; it didn't sound that ambitious, but local hurdles were expected. It was the appropriate scope for 3-4 months and important to size the project to the length of the CSP. Be gentle with yourself because you won't get 100% of your time to devote to CSP,  and you won't get everything that you want done. You need to find a chunk of work to have something that feels like an accomplishment, but a small enough project to complete before you get pulled off to something else.

Ethan's 10 years of experience at UNC were helpful since he already had an idea of the internal politics, and being a SME on other TAP components helped with scope and what we could get done in a reasonable amount of time.