UC Identity Management Conference Call
- 5/5/2004 - Notes
Participants
- Marina Arseniev, UCI
- Bob Brandriff, UCOP
- Jacqueline Craig, UCOP
- Elazar Harel, UCSD
- Bruce James, UCOP
- Gabe Lawrence, UCSD
- Datta Mahabalagiri, UCLA
- Brian Roode, UCI
- David Walker, UCOP
- Jerry Wilcox, UCOP
- Larry Woods, UCOP
- Albert Wu, UCLA
- Ying Ma, UCLA
UCnetID Issues
The issues of UCnetID assignment that were raised last week by Ying Ma via electronic mail
were discussed.
- There are two kinds of mismatches:
- Bad - One person gets two UCnetIDs. This does not give
anyone access to someone else's employee or annuitant records, but
could result in someone not being able to access their own records.
- Very Bad - Two people get the same UCnetID. This would
allow both people to access the same set of employee / annuitant
records.
- UCLA observed 17 employees with "bad" matches; Larry Woods is
fixing them. There were no employees with "very bad"
matches. There were a large number of students with "bad" and
"very bad" matches, but they are not a concern for this pilot.
- UCI is investigating a number of mismatches; UCSD has not yet
looked at this.
- Marina said that UCI has built auditing capabilities into the
integration of UCnetIDs into their enterprise directory. Larry
said that there is also such capability in the uDir system that assigns
UCnetIDs; Marina asked if that information could be made available
electronically to the campuses.
- It is likely that this project will recommend a follow-on to
improve the process of assigning UCnetIDs. A possible solution is
contained in the final appendix of "Identity
and Authentication: Next Steps."
Policy Issues
A draft presentation
for the COVCA to be given on May 27 was
discussed. The main issue was the statement that each campus
should have a single
membership in the federation. We will modify that statement to
say that each campus must build an appropriate organizational structure
to manage identity issues. A modified version will be distributed
to the group.
It was agreed that everyone would complete the Federated Identity
Management Criteria questionnaire for their campus by the end of
May.
Formal Definition of Our Attributes
- No volunteers for someone to take the lead. I will
brow-beat someone.
- Attribute definitions should include the recommended source for
the information, where appropriate. For example, "The UCnetID
should be taken from column x
of table y of PPS."
- It was decided that we should share common Shibboleth definitions
of our attributes, but not require common LDAP definitions, as not all
campuses will use LDAP. UCnetID, however, already has a
registered LDAP "OID," so it should probably be used when a campus does
use LDAP to store UCnetIDs.
- Ying asked about how we should handle the case where people have
multiple UCnetIDs. This is an error condition, but we still need
to know how to handle it. Since Larry Woods had already left the
call, we decided to defer resolution until he can be consulted.
Our Next Meeting
- The next conference call will be at 9:00a on May 19, 2004
(510-587-6079, ID:52014#, PW:0500#). I will be on vacation;
Elazar will lead the meeting.
David
Walker - 5/5/2004 (Revised 5/7/2004)