Executive Summary
<Jessica to write after meeting>
Solution Summary
Track: Lifecycle Management
Trusted Access Platform Components: MidPoint, COmanage
Project Team: Ethan Kromhout, Jan Tax, Shumin Li, Chad Redman, Celeste Copeland
Community Collaborators: Paul Caskey, Keith Hazelton, enhanced access to Evolveum was critical
The Environment: large R1 university, large health sciences program and hospital, security posture tends to be robust, some requirements for security environment that other schools might not need to deal with
Benefits to Organization:
- The IdM team will gain an extensible provisioning system that can be expanded to additional resources and projects, benefiting their future capabilities and thus those of the CISO. The cloud infrastructure team will gain a capability to build users and groups in G Suite and GCP for future expansion of those offerings.
- Evaluating different approaches to modernizing guest management is of current interest to the IdM team. COmanage is a possible approach that aligns with Incommon partner institutions.
- Customers have repeatedly sought a solution to centralized provisioning and deprovisioning, that they can use to add and remove local accounts. This would be the start of a service that could be expanded to many other groups around campus to solve these issues.
The Project
Problem Statement:
UNC needs an extensible provisioning engine that can be used for an array of resource targets. We also need to provision G Suite and Google Cloud Platform (GCP) for campus groups.
Impact Statement:
For the Identity Team, faster easier integration of new provisioning resource targets. For campus affiliates, automated access to provisioned resources without manual requests and approval delays.
Scale and Scope: The provisioning capability will be limited to central IT evaluation and use during the CSP phase of the project. The scale is expected to be limited to central IT and users and groups closely engaged with central IT.
The Solution
We will be implementing midPoint as a provisioning engine during this project as it has wide adoption in the Collaboration Success Program (CSP) cohort, and is easily extensible via open source connectors. Support for midPoint is available from CSP SMEs, the vendor, consulting agencies, and peers.
The Result
Initial Plan:
Proj Plan / Roadmap: November 30th 2019
Internal Communications Plan: January 15th 2020
Sandbox: December 15th 2019
MVP: March 15 2020
Actual Implementation:
went reasonably well, project plan and roadmap was successful reasonable, structured communication plan didn't exist
sandbox was two weeks late on getting built due to support from other groups, but it was up by 2020
needed to learn what all was needed for security assessment, was expected, but took longer than expected
Conclusions & Lessons Learned
Success Metrics:
- A production instance of the provisioning engine, managed by the identity management group, and running in our standard operations matrix for enterprise applications.
- Publishing of groups in our production G Suite tenant based on authorized groups in Grouper, and via the new provisioning engine.
- Association of GCP permissions with the G Suite groups above.
- Gain understanding of COmanage capabilities and overlap with other Trusted Access Platform components.
- Recommendation document for the CIO on the use of COmanage for some of our guest management and invitation flows.
did pretty well on most of these until the last one, didn't happen, big ones are done, everything in production
think a lot about internal collaborations, struggled with how to keep this a team effort within UNC, easy and counterproductive for people to work on their own,
collaborative work sessions with goals on what to do went well & were longer than expected, large screen, one person typing, collaborative troubleshooting, didn't translate well to remote work, much easier to multi-task on a Zoom call than in a room with other people
scope was about right, didn't sound that ambitious but local hurdles were expected, appropriate scope for 3-4 months, important to size to the length of the CSP, be gentle with yourself that you won't get 100% of your time to CSP, you won't everything get what you want done
may have felt a little short, you need to find a chunk of work to have something that feels like an accomplishment, but a small enough project to complete before you get pulled off
Ethan's experience, at UNC for 10 years and had an idea of the politics, SME helped with scope and what we could get done in a reasonable amount of time