You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Executive Summary

<Jessica to write after meeting>

Solution Summary

Track: Lifecycle Management

Trusted Access Platform Components: MidPoint, COmanage

Project Team: Ethan Kromhout, Jan Tax, Shumin Li, Chad Redman, Celeste Copeland

Community Collaborators: Paul Caskey, Keith Hazelton, enhanced access to Evolveum was critical

The Environment: large R1 university, large health sciences program and hospital, security posture tends to be robust, some requirements for security environment that other schools might not need to deal with

Benefits to Organization: 

  • The IdM team will gain an extensible provisioning system that can be expanded to additional resources and projects, benefiting their future capabilities and thus those of the CISO. The cloud infrastructure team will gain a capability to build users and groups in G Suite and GCP for future expansion of those offerings. 
  • Evaluating different approaches to modernizing guest management is of current interest to the IdM team. COmanage is a possible approach that aligns with Incommon partner institutions.
  • Customers have repeatedly sought a solution to centralized provisioning and deprovisioning, that they can use to add and remove local accounts.  This would be the start of a service that could be expanded to many other groups around campus to solve these issues.

The Project

Problem Statement:

UNC needs an extensible provisioning engine that can be used for an array of resource targets. We also need to provision G Suite and Google Cloud Platform (GCP) for campus groups.

Impact Statement:

For the Identity Team, faster easier integration of new provisioning resource targets. For campus affiliates, automated access to provisioned resources without manual requests and approval delays.

Scale and Scope: The provisioning capability will be limited to central IT evaluation and use during the CSP phase of the project. The scale is expected to be limited to central IT and users and groups closely engaged with central IT.

The Solution

We will be  implementing midPoint as a provisioning engine during this project as it has wide adoption in the Collaboration Success Program (CSP) cohort, and is easily extensible via open source connectors. Support for midPoint is available from CSP SMEs, the vendor, consulting agencies, and peers.

The Result

Initial Plan:

Proj Plan / Roadmap: November 30th 2019

Internal Communications Plan: January 15th 2020

Sandbox: December 15th 2019

MVP: March 15 2020

Actual Implementation:

went reasonably well, project plan and roadmap was successful reasonable, structured communication plan didn't exist

sandbox was two weeks late on getting built due to support from other groups, but it was up by 2020

needed to learn what all was needed for security assessment, was expected, but took longer than expected

Conclusions & Lessons Learned

Success Metrics:

  • A production instance of the provisioning engine, managed by the identity management group, and running in our standard operations matrix for enterprise applications.
  • Publishing of groups in our production G Suite tenant based on authorized groups in Grouper, and via the new provisioning engine.
  • Association of GCP permissions with the G Suite groups above.
  • Gain understanding of COmanage capabilities and overlap with other Trusted Access Platform components.
  • Recommendation document for the CIO on the use of COmanage for some of our guest management and invitation flows.

did pretty well on most of these until the last one, didn't happen, big ones are done, everything in production

think a lot about internal collaborations, struggled with how to keep this a team effort within UNC, easy and counterproductive for people to work on their own,

collaborative work sessions with goals on what to do went well & were longer than expected, large screen, one person typing, collaborative troubleshooting, didn't translate well to remote work, much easier to multi-task on a Zoom call than in a room with other people

scope was about right, didn't sound that ambitious but local hurdles were expected, appropriate scope for 3-4 months, important to size to the length of the CSP, be gentle with yourself that you won't get 100% of your time to CSP, you won't everything get what you want done

may have felt a little short, you need to find a chunk of work to have something that feels like an accomplishment, but a small enough project to complete before you get pulled off

Ethan's experience, at UNC for 10 years and had an idea of the politics, SME helped with scope and what we could get done in a reasonable amount of time



  • No labels