Topics in Directories: Metadirectories Practices in Higher Education Brendan Bellina, University of Notre Dame I2 Base CAMP June 2002, Boulder, CO

Topics in Directories: Metadirectories

Practices in Higher Education

Brendan Bellina, University of Notre Dame

I2 Base CAMP June 2002, Boulder, CO

I2 Base CAMP - June 25, 2002 Middleware: Directories 2

Presentation Overview - Visual

IntroductionBodySummationQuestions


Presentation Outline

Metadirectory Definition & Role

Metadirectory Processes

• The “Join”

• “Intelligence” & The Registry

• Consumer Provisioning

Questions


What is meant by “Metadirectory”?

A technology or class of functionality required to build an enterprise directory infrastructure.

Any directory capable of consolidating information found in both standards-based and proprietary directories, and then exposing it through standard interfaces… A system capable of heterogeneous, multi-master, attribute-level replication.

- “Enterprise Directory Infrastructure: Meta-directory Concepts and Functions”, Jamie Lewis, The Burton Group, July, 1998


Role of the Metadirectory

Provides the infrastructure capable of maintaining consistency and data integrity between the chosen enterprise directory and the other local and system- or application-specific directories that will always be present in the organization.

-“Enterprise Directory Infrastructure: Meta-directory Concepts and Functions”, Jamie Lewis, The Burton Group, July, 1998


Role of the Metadirectory

The glue that binds directories together

The directory umbrella which covers all directories

The duct tape of your directory infrastructure


I2 Mace-Dir Metadirectory Model


Metadirectory Processes - Overview

The “Join”

-Using identity matching to produce a registry of constituents with links (aliases or alternate keys) back to source systems.

“Intelligence”

-Managing how data is inserted, modified, and deleted from the registry based upon the business rules of the institution.

Consumer Provisioning

- Notifying/populating the directory consumers appropriately.


Example – Whatsamatter U


Metadirectory Processes – The “Join”

The process by which disparate identifiers for multiple source systems are extracted and examined, producing a single master record of identifiers for each individual entity which can be used as a link back to the source system records.


Directory Sources – You want sources? We got sources!

FacultyStudents

Donors

Alumni

Email accounts

Windows 2000Windows NT

etc/passwd

Novell

etc/aliases

OracleTrustees

Vendors

Athletic Fans

Portal users

Applicants

Staff

Affiliates

RetireesAnd more!!!


Source Issues

- Quantity of diverse sources

- Platform differences

- Differences in quality of data entered

- People with multiple simultaneous roles

- Data ownership issues – politics

- Varying availability of data sources

- Sometimes too much data – 34 address types?!?


Identity Matching

Haven’t I seen you somewhere before?

Students who are also part-time staff

Staff or faculty who take classes

People who arrive, and leave, and return, and…


Identity Matching

Generally forced to use infrequently changing attributes to attempt to determine when two records describe the same person:

-U.S. Social Security Number or other government assigned unique single lifetime pseudo-meaningless short easy-to-memorize alpha-numeric identifier

-Formal name (at birth or initial contact)

-Date of birth

-Gender (at birth or initial contact)

-Permanent home address

… Quality of the data really matters!


Building the Registry - Choice of ETL Tools

Choose an ETL (extract-transform-load) tool:

- Perl scripts – most common approach at this time, fairly easy to write, can be difficult to maintain

- Metamerge – free license for higher ed, many connectors, scripting capability

- Java applications

- Other


Building the Registry - Choice of Storage

Choose a storage platform:

- Relational database - recommended

- LDAP Directory – not recommended due to limitations in data typing, lack of standard referential integrity controls.

- Indexed files

- Other


Building the Registry - Choice of Model

Choose a model: “fat” or “thin”

“thin”: registry will contain only the information required to provide linkages back to systems of record. Requires systems of record to be both highly available and readily accessible.

“fat”: registry will contain and serve, in addition to linkage information, information about an entry to consuming applications, reducing the dependency on the systems of record. Fat registries are more common than thin registries.


Metadirectory Processes – “Intelligence”

“Intelligence”

The application of an institution’s business rules and policies within the metadirectory. This involves the creation of a unique identifier (guid), rules regarding the creation and removal of registry entries and the population of attributes, and providing for operational reporting and auditing requirements.


Unique Identifiers

“There can be only one!!!”One entry per person, that is.

Establish a globally unique identifier (guid) for each person in the registry.

- Unchanging and persistent

- Non-recyclable

- Unique

- Meaningless

- Hidden


Addressing Institutional Policies

- Reformatting data to meet standards (telephone)

- Breaking up data into discrete parts (addresses, names)

- Consolidating/summarizing data (statuses)

- Population of default attributes

- Population of groups

- Default authorizations

- Resolving partial or missing data from sources


Operational Design Requirements

- Data flow requirements – batch or real-time?

- Recovery planning – thresholds, roll-back, grace periods, logging

- Problem resolution tools for the helpdesk and administrators

- Audit reporting


Metadirectory Processes – Consumer Provisioning

Consumers are the applications which make use of information presented in the enterprise directory infrastructure. The metadirectory provisioning process ensures that data is made available to the consumer interfaces. Often modern consumers can interface via the LDAP protocol, but often multiple LDAP directories are required to meet consumer needs.


Multiple Consumers

Application specific or “embedded” directories will be needed for several reasons:

- Performance needs, particularly for updates

- Application-specific data

- Special access

- Security requirements

- Because vendors seem to want it that way


Integrating Multiple Directories

Methods:- LDIF

- Metamerge

- Log processing

Probably unavoidable


Resource Provisioning

Automated handling of the tasks associated with the establishment, modification, and deletion of resources and entitlements provided to people as they join or leave an organization or undergo changes in affiliation or status.

Wouldn’t it be nice!


Resource Provisioning

What to do?

-Identify existing automated processes

-Identify existing manual processes

-Directory-enable processes where possible

How to do it?

-Perl

-Metamerge


Why Are There More Questions Than Answers?

-Confusion over terminology, created in part by metadirectory vendors

-Merging of directory and metadirectory vendors (where have all the vendors gone?)

-Tools and standards are still maturing

-Getting early success is fairly easy, going beyond white pages can prove difficult – for institutions that are riddled with exceptions centralized authorization and provisioning can be very complex

-Enterprise work can be an uphill battle in the educational environment – CIO can help


Links

Internet 2 - MACE-Dir Metadirectories page

<http://middleware.internet2.edu/dir/metadirectories/>

RPR 1.0 Metadirectories Practices document

<http://middleware.internet2.edu/dir/metadirectories/rpr-nmi-edit-mace_dir-metadirectories_practices-1.0.html>

Author: [email protected]

Documents

Topics in Directories: Metadirectories Practices in Higher Education Brendan Bellina, University of Notre Dame I2 Base CAMP June 2002, Boulder, CO