MCommunity Overview

MCommunity is a new online directory and identity management system for U-M that is being rolled out in phases. The basic infrastructure was put in place in June 2008. The MCommunity Sponsor System was released to departments in March 2009. The MCommunity Directory was released in July 2011. This document describes some of the components of MCommunity and explains how they are and will be used.

What Is MCommunity?

MCommunity is a central system that stores information about people that can be used to grant them access to various online resources at both the university and departmental levels. It is a flexible, centralized, identity management system that U-M campuses and units will be able to use in a decentralized way for provisioning information technology resources and services.

It is also what is called an "enterprise directory," which means it includes people across the entire university enterprise and not just a single department or campus. The MCommunity Directory replaced the U-M Online Directory in July 2011. New MCommunity systems will replace current ITS systems for creating and managing uniqnames and for providing computing services.

The main reason for creating MCommunity is to make it possible to provide quick access to the online and physical resources people need when they need them—and to remove that access when they are no longer eligible for it. MCommunity

• Includes a directory with better privacy features than the former directory.

• Contains more accurate, up-to-date information about members of the U-M community.

• Will provide tools that departmental system administrators can use to grant access to—and remove access from—their own departmental information technology resources for people based on departmental roles that they define.

• Will streamline the processes for uniqname creation and UMICH Kerberos password resets.

• Will streamline provisioning of standard computing services.

Why Is It Important?

More and more of what the university does depends on knowing who is and is not a member of the university community. Our previous systems were not able to provide complete, real-time information about who is affiliated with the university and in what capacity.

This information is needed for a wide variety of purposes, including

• Providing immediate access to U-M computing resources to those who are eligible.

• Removing access to sensitive systems and information from those who leave the university.

• Identifying specific groups of people—such as those enrolled in a particular program—so they can be given access to resources such as for-fee online publications. Being able to count those people and prove that no one else has that access will help the university to negotiate the best price for such online resources.

• Identifying people with a particular role at the university so they can be given access to resources specific to their role. Automating that so that when people take on or give up that role, access is automatically adjusted.

What Are the Components of MCommunity?

MCommunity includes several major components. Many of the components listed here are described in greater detail later in this document.

• Underlying Infrastructure. The basic, underlying structure of MCommunity is in place, including the Identity Vault and the data feeds connecting the authoritative data souces. MCommunity has a live feed from Wolverine Access, nightly feeds from the Dearborn Banner system via the Dearborn Data Warehouse and the Donor Alumni Constitutient (DAC) database via the DAC Data Warehouse. It also has a weekly feed from the Flint Banner system via M-Pathways. This means that MCommunity is routinely creating entries for faculty, staff, and students on all three campuses, as well as for retirees, alumni, and sponored persons.

• Sponsor System. The MCommunity Sponsor System is used by the ITS Service Center and departmental sponsorship administrators to sponsor university guests and affiliates and obtain uniqnames for them.

• Directory. The MCommunity DIrectory is now available.

• LDAP Tree. LDAP access to MCommunity data is provided to U-M system administrators through an LDAP Tree. The U-M Online Directory will remain available behind the scenes for some time so that departments who need programmatic access to it via LDAP can continue to use it while they transition their systems to access MCommunity instead.

• Departmental Roles. MCommunity will introduce tools that departments can use for departmental roles management.

• Provisioning and De-Provisioning. MCommunity data will be used to set up access to computing services when people become eligible for them (provisioning) and removing that access when they lose eligibility (de-provisioning). It will be used to provision and de-provision ITS's standard computing services, as well as some other campus services. Departmental system administrators will begin to be able to use MCommunity to provision and de-provision their own information technology services. It is currently used to provision UMROOT Active Directory accounts.

Uniqname Creation

Your uniqname is an important part of your identity at U-M. There are a number of procedures for getting a uniqname; the one you use depends on your relationship with the University. Underlying all those procedures is ITS's uniqname system, which creates and manages uniqnames.

MCommunity will take over that work as part of its identity management function.

Uniqnames for Sponsored Affiliates

Authorized U-M employees can use the MCommunity Sponsor System to obtain uniqnames for sponsored affiliates. The system allows for creation of a full online identity, not just a uniqname.

Uniqname Self Registration

Incoming students, staff members hired through the university's online application system, and alumni will continue to select their own uniqnames and UMICH Kerberos passwords via a uniqname self-registration process on the web. The software behind this process will change, but the process itself will be similar to the way it is today.

Current uniqname self-registration web pages:

• New student uniqname sign-up

• New staff uniqname sign-up

• Alumni uniqname sign-up (for alumni who did not receive a uniqname when they were students)

Programmatic Uniqname Creation

Some U-M units have their own scripts, programs, or systems that interact with ITS's uniqname system to create uniqnames. These will need to be modified to work with MCommunity instead.

A web service was developed in conjunction with Medical Center Information Technology (MCIT) that allows MCIT programmatic access to the Sponsor System for creating sponsorships and obtaining uniqnames. This web service can be used as a model for other U-M units that would like to do the same sort of thing.

ITS and Departmental Interfaces to Uniqname

Systems that currently connect to or interact with ITS's uniqname system will need to transition to working with MCommunity instead. Most, but not all, of these systems are within ITS. ITS will work with the owners of other systems to ensure a smooth transition. After a reasonable transition period, ITS's current uniqname system will be retired.

Sponsor System

The Sponsor System allows authorized University employees to create identities in MCommunity for people who are affiliated with the university but who are not full members of the university community. These people are usually referred to as sponsored affiliates. There are two common reasons for needing such identities:

1. Preliminary IDs for early access. It is common practice for units to create accounts for incoming faculty members before they officially complete the hiring process and come to the university—that is, before information about them is in the university's Human Resources system. Units do this to provide incoming faculty members with early and needed access to university resources.

2. IDs for affiliated persons. Units also need to be able to create identities for individuals who are not, and may never be, students, faculty, staff, or alumni—people such as research collaborators, contractors, conference attendees, summer camp attendees, and so on.

For details about the Sponsor System, see MCommunity Sponsor System Overview (R1458).

Identity Vault

The Identity Vault is the heart of the MCommunity system. It stores identity information for people and for groups. Most people won't need to give the Identity Vault a second, or even first, thought. They will simply be aware that MCommunity contains identity information about U-M people and groups.

Information is provided here about the Identity Vault for information technology staff whose systems will interact with MCommunity, administrative staff who need to know what data is available where, and others who are interested.

The part of the Identity Vault that stores data is made up of two parts:

• Registry. The Registry stores all data received from each of the data sources that feed MCommunity. It's where the raw data is collected and held. The registry may contain multiple records for a single person. If, for example, an individual is a student on the Dearborn campus and an employee on the Ann Arbor campus, information about that individual will be provided to MCommunity both through the employee data feed from M-Pathways (Wolverine access) and the student data feed from Dearborn. All this information will be kept in the registry.

• Directory. The directory contains consolidated data—a single record for each person. It contains current data only.

Also part of the Identity Vault is software that, following data precedence rules, determines which data goes in the directory when data from different sources conflict. The Identity Vault has software that keeps data synchronized across MCommunity and manages data changes coming in from various places.

A New Online Directory

The MCommunity Directory was released July 18, 2011. For an overview of the new directory, see An Overview of the MCommunity Directory Via the Web (R1462).

Departmental Roles Management

University units need to identify populations of faculty, staff, and students based on their university roles. A school might want to identify all the students in a particular program so it can give them access to licensed software or to for-fee online publications, for example. The current directory does not lend itself to this purpose, but MCommunity is being designed to do so.

Basic institutional role information will be included for individuals in MCommunity. Individual schools, colleges, and units may use the institutional roles to grant access to services, or they may wish to build upon them with additional criteria.

The MCommunity Governance Board has identified basic institutional roles for use in MCommunity. See the Roles Section of the Governance Board's Recommendations for details.

Departmental Service Provisioning

Departmental system administrators will be able to use MCommunity to provision their own information technology services. For example, they will be able to use it when providing departmental server accounts to new staff. They'll also be able to use it to provide access to licensed online materials and more.

Programmatic Directory Access Via an LDAP Tree

This is now available. See LDAP Access to the MCommunity Directory.

Data Sources for MCommunity

MCommunity's sources for data about people are these:

• M-Pathways/Wolverine Access (PeopleSoft HEPROD Database). This database is the authoritative source for identity information about

  • Current U-M faculty
  • Current U-M staff
  • Current Ann Arbor campus students

  People who wish to make changes in their official U-M identity information that is stored in M-Pathways may do so using Wolverine Access. MCommunity receives data from this source via a live data feed.

• Office of University Development. This office provides identity information for all living alumni via a Data Warehouse. Updates to this information are provided to MCommunity nightly (except for Sunday night).

• Dearborn Campus. The Dearborn Campus uses a Banner system for its directory of U-M Dearborn students. U-M Dearborn's Information Technology Services staff members are working with the MCommunity Project Team to establish a live data feed between the Dearborn Banner system and MCommunity. A nighly data feed has been set up for now.

• Flint Campus. The Flint Campus also uses a Banner system for its directory of U-M Flint students. Staff members from U-M Flint Information Technology Services are working with the MCommunity Team to establish a live data feed between the Flint Banner system and MCommunity. A weekly data feed from Flint to M-Pathways to MCommunity has been set up for now.

• Sponsor System. The MCommunity Sponsor System is used to enter identity information about departmentally sponsored guests and affiliates.

Data about groups will continue to be entered and managed by group owners.

Additional Resources

The MCommunity Project website provides information about the project status, timeline, history, and more.

Visit ITS's Information System to obtain ITS computer documentation and other resources. A list of relevant documents follows:

• MCommunity Sponsor System Overview (R1458)
• Using the MCommunity Sponsor System Via the Web (S4356)
• MCommunity Sponsorship Administration Policies and Agreement (R1459)
• MCommunity Sponsoring Authority Policies and Agreement (R1460)
• An Overview of the MCommunity Directory Via the Web (R1462)

The ITS Service Center provides a variety of computing help resources.

For further help with this or any other topic, send an e-mail or phone 734-764-HELP [4357].

Please direct questions about the MCommunity Project to the MCommunity leads at MCommunity.Leads@umich.edu.