> Damion> I have a large project that I hope someone could provide a > Damion> little guidance on. My organization is, for simplicity sake, > Damion> very unstructured. But I need to be able to authenticate > Damion> people to various resources. Although SSO using things like > Damion> shibboleth make some sense, I'm not sure it will cover > Damion> everything that I need it to do. > > Well, I think you're up the creek here. If each campus is so > unstructured, and upper management doesn't want to help force the > issue, then you're toast. The best you're going to be able to do is > define a policy for your central site, and then use the carrot/stick > approach to get other sites to follow along. >
Very much toast in this regard. With all of the various scenarios I want to make sure I at the very least understand it thoroughly. So that whatever design we go with, it can handle as best as possible the chaos the politics are going to throw at it. > Damion> - There is a $central campus, that hosts several services > such > as Email, Web Based tools, and Administrative Systems. > > Where's the money? Do all campus' use the Admin systems? Many of the of the campuses are acquisitions/mergers, where they are allowed to operate as they wish except where government mandated. And the applicable government mandates seem to be more guidelines than rules. So from what I gather, the money is where it came in. Not all campuses use the Admin system for all of their populations. If you receive academic credit from $central, then you are in the central Admin system. However an employee at the same non-central campus could be in a completely different payroll system. > > Damion> - Some campuses only use our Administrative System, and > Damion> VPN. All other pieces are handled by them internally. > > Do your students need to use the VPN or is it just staff? > Currently only Faculty/Staff use the VPN. Students I'm sure will be added in the future. > Damion> - Some campuses only use our Administrative System, and > Damion> VPN. All other pieces are handled by their own third party > Damion> vendor when needed. > > These two look like they can be lumped together. It was more note to self about the political makeup of those types of campuses. > > Damion> - Two (soon 3) campuses use our Email, Administrative > System, > Damion> VPN and they want to be included into more of our > Damion> systems. However they have restrictions because they are > Damion> partly maintained by their respective state government > Damion> department. For example their network is maintained by govt. > > And does this state govt enforce their own naming scheme? I'm not sure of that. But I learned some other things about this since I sent the note. These types of schools are early High School. So until the student starts taking classes that earns college credits (Jr and Sr year), their data is 'owned' by the HS's local Department of Education. But they may want to start using some of our central systems before that. And that's as far as I can go with that. > Damion> The only unifying thing between all of the campuses is that > Damion> the name on the front door is $COMPANY at $CAMPUS. At > present > Damion> their is no plan to fully integrate systems, business > Damion> processes etc. Each campus is allowed to define how they > want > Damion> to do things. So there is a possibility that a campus may > come > Damion> to the $central campus and ask for everything to now be > Damion> maintained by central, at any time. > > To put it bluntly, you're hosed. Get management buy-in, look for > where the money/HR/liability goes, and work with them to fix this > issue. > "management buy-in"? What's that? Is that like a big-foot type creature? > Damion> My goal is to define some kind of Identity management that > Damion> will allow us to maintain this mess, with as few quirks as > Damion> possible. I want to be able to issue a person an ID no matter > Damion> where they 'live' and have it usable despite their campus > Damion> policy. Their credentials shouldn't change based on who > Damion> maintains the auth server that month. I realize that I may > Damion> not be able to handle absolutely everything, but I at least > Damion> want to have an idea how to integrate existing campuses as > I'm > Damion> sure it's a matter of when not if. > > If you just have a central registry, which is managed by > HR/Registrar, > then you should be all set. The other campus' don't have to use it, > but since all the central Admin/VPN/whatever stuff will, they will > have the incentive to follow allong. > This definitely helped clear my head on the topic. I wasn't just worrying about how to design my system, but how to make it attractive enough to get the other campuses to come along. Because unfortunately, if I wait for buy-in at any level nothing will ever happen. > It honestly sounds like a great project, but the politics are the > killer. As frustrating as this project is, I do enjoy it. Politically it's going to be a case of asking for forgiveness later as so far that's the only time I can get those with authority to take notice. > You'll need to problably have a mapping of: > > userid > First/Middle/Last > campus > ssn (scary!) > status (one of faculty,student,staff,other) > created date > disabled date > > Where the tuple of (userid,campus,status) is the unique key. I > assume > a faculty at one campus can be a student elsewhere. > Way ahead of you on the fields we need to keep track of. However SSN will never be used outside of the Admin system. It's pretty much illegal to use it as any kind of identifier in academia. > John > Thanks! Damion > > _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
