Information Technology Central Services at the University of Michigan
U-MITCSDocumentation
MCommunity Overview
R1457 • October 2008

MCommunity is a new online directory and identity management system for U-M that is currently under development. It is being rolled out in phases. The basic infrastructure was put in place in June 2008. The Sponsor System was released to the ITCS Accounts Office in October 2008. This document describes some of the components of MCommunity, explains how they will be used, and tells what will be available when.

Table of Contents


What Is MCommunity?

MCommunity is a central system that will store information about people that can be used to grant them access to various online resources at both the University and departmental levels. It is a flexible, centralized, identity management system that U-M campuses and units will be able to use in a decentralized way for provisioning information technology resources and services.

It is also what is called an "enterprise directory," which means it will include the entire University enterprise and not just a single department or campus. It will eventually replace the U-M Online Directory. It will also replace current ITCS systems for creating and managing uniqnames and for provisioning Basic Computing Package services.

The main reason for creating MCommunity is to make it possible to provide quick access to the online and physical resources people need when they need them—and to remove that access when they are no longer eligible for it. MCommunity will

  • Provide a directory with better privacy features than the current directory.

  • Provide a directory with accurate, up-to-date information about members of the U-M community.

  • Provide tools that departmental system administrators can use to grant access to—and remove access from—their own departmental information technology resources for people based on departmental roles that they define.

  • Streamline the processes for uniqname creation and UMICH Kerberos password resets.

  • Streamline provisioning of Basic Computing Package services.

^ Table of Contents

Why Is It Important?

More and more of what the University does depends on knowing who is and is not a member of the University community. Our current systems are unable to give us real-time information about who is affiliated with the University and in what capacity.

This information is needed for a wide variety of purposes, including

  • Providing immediate access to U-M computing resources to those who are eligible.

  • Removing access to sensitive systems and information from those who leave the University.

  • Identifying specific groups of people—such as those enrolled in a particular program—so they can be given access to resources such as for-fee online publications. Being able to count those people and prove that no one else has that access will help the University to negotiate the best price for such online resources.

  • Identifying people with a particular role at the University so they can be given access to resources specific to their role. Automating that so that when people take on or give up that role, access is automatically adjusted.

^ Table of Contents

When Will It Be Available?

MCommunity is being developed and rolled out in stages. Many of the components listed here are described in greater detail later in this document.
June 2008
The basic, underlying structure of MCommunity was put in place in June 2008, including the Identity Vault and the data feeds connecting the primary authoritative data souces. THe infrastructure and data feeds are stable and working well.

As of August 2008, MCommunity has a live feed from M-Pathways, a nightly feed from the Dearborn campus, and a nightly feed of alumni data from the U-M Data Warehouse. This means that MCommunity is routinely creating entries for Ann Arbor faculty, staff, and students; Dearborn faculty, staff, and students; Flint faculty and staff; retirees; and alumni.

Fall 2008
The MCommunity Sponsor System was introduced to the ITCS Accounts Office for use in October 2008. Use will likely be extended to departmental sponsorship administrators in December 2008.
Winter-Spring 2009
LDAP access to MCommunity data will be provided to U-M system administrators through an LDAP Tree.

The new MCommunity online directory will begin to run in parallel with the current U-M Online Directory. For most members of the U-M community, this will be the visible debut of MCommunity.

There will be changes in how people look up people and group entries, how they modify their own entries, and how they create and manage groups. There will also be changes in what information is available to the general public and to members of the University community.

The U-M Online Directory will remain available behind the scenes for some time so that departments who need access to it can continue to use it while they transition their systems to access MCommunity instead.

Programmatic access to the Sponsor System for system administrators will be provided through a web service and a command-line utility.

Summer-Fall 2009
MCommunity will introduce tools that departments can use for departmental roles management.

MCommunity will be used for provisioning of ITCS's Basic Computing Package, as well as some other campus services. Departmental system administrators will begin to be able to use MCommunity to provision their own information technology services.

^ Table of Contents

Uniqname Creation

Your uniqname is an important part of your identity at U-M. There are a number of procedures for getting a uniqname; the one you use depends on your relationship with the University. Underlying all those procedures is ITCS's uniqname system, which creates and manages uniqnames.

MCommunity will take over that work as part of its identity management function.

Uniqnames for Sponsored Affiliates
Authorized U-M employees can use MCommunity to obtain uniqnames for sponsored affiliates. The Sponsor System component of MCommunity allows for creation of a full online identity, not just a uniqname, that can be used for service provisioning.

The Sponsor System currently provides two ways of getting uniqnames:

  • Staff member requests. Staff members will enter identity information into MCommunity to obtain a uniqname and UMICH Kerberos password, which they will then provide to the sponsored affiliate.

  • Requests for lists of short-term uniqnames. Staff members can provide lists of conference or summer camp attendees and obtain lists of short-term-use uniqnames to distribute to those people.

In the future, it will offer an additional option:

  • Self-registration invitation to the sponsored affiliate. Staff members will enter identity information into MCommunity, and MCommunity will send an e-mail message inviting the sponsored affiliate to visit a website to select a uniqname and UMICH password. This option will not be ready when the Sponsor System is introduced in June 2008. It will likely be added in December 2008.

For now, authorized staff members can continue to use WebUniq or the uns command-line tool to create uniqnames for sponsored affiliates. After a reasonable transition period, these tools will be retired.

Uniqname Self Registration
Incoming students, staff members hired through the University's online application system, and alumni will continue to select their own uniqnames and UMICH Kerberos passwords via a uniqname self-registration process on the web. The software behind this process will change, but the process itself will be similar to the way it is today.

Current uniqname self-registration web pages:

Programmatic Uniqname Creation
Some U-M units have their own scripts, programs, or systems that interact with ITCS's uniqname system to create uniqnames. These will need to be modified to work with MCommunity instead.
ITCS and Departmental Interfaces to Uniqname
Systems that currently connect to or interact with ITCS's uniqname system will need to transition to working with MCommunity instead. Most, but not all, of these systems are within ITCS. ITCS will work with the owners of other systems to ensure a smooth transition. The transition will likely begin somewhere around June 2008, when MCommunity will be capable of creating and managing uniqnames. After a reasonable transition period, ITCS's current uniqname system will be retired.

^ Table of Contents

Sponsor System

The Sponsor System allows authorized University employees to create identities in MCommunity for people who are affiliated with the University but who are not full members of the University community. These people are usually referred to as sponsored affiliates. There are two common reasons for needing such identities:

  1. Preliminary IDs for early access. It is common practice for units to create accounts for incoming faculty members before they officially complete the hiring process and come to the University—that is, before information about them is in the University's Human Resources system. Units do this to provide incoming faculty members with early and needed access to University resources.

  2. IDs for loosely affiliated persons. Units also need to be able to create identities for individuals who are not, and may never be, students, faculty, staff, or alumni—people such as research collaborators, contractors, conference attendees, summer camp attendees, and so on.

For details about the Sponsor System, see MCommunity Sponsor System Overview (R1458).

^ Table of Contents

Identity Vault

The Identity Vault is the heart of the MCommunity system. It will store identity information for people and for groups. Most people won't need to give the Identity Vault a second, or even first, thought. They will simply be aware that MCommunity contains identity information about U-M people and groups.

Information is provided here about the Identity Vault for information technology staff whose systems will interact with MCommunity, administrative staff who need to know what data is available where, and others who are interested.

The part of the Identity Vault that stores data will be made up of two parts:

  • Registry. The Registry stores all data received from each of the data sources that feed MCommunity. It's where the raw data is collected and held. The registry may contain multiple records for a single person. If, for example, an individual is a student on the Dearborn campus and an employee on the Ann Arbor campus, information about that individual will be provided to MCommunity both through the employee data feed from Michigan Administrative Information Services (MAIS) and the student data feed from Dearborn. All this information will be kept in the registry.

  • Directory. The directory contains consolidated data—a single record for each person. It contains current data only.
Also part of the Identity Vault is software that, following data precedence rules, determines which data goes in the directory when data from different sources conflict. The Identity Vault has software that keeps data synchronized across MCommunity and manages data changes coming in from various places.

^ Table of Contents

A New Online Directory

The web interface to the U-M Online Directory will be joined by a new web interface to MCommunity in the first half 2009. You'll still be able to look up people and groups, manage your own MCommunity entry, create and manage e-mail groups, and more—but things will look different in the new directory. After a reasonable transition period, the U-M Online Directory will be retired.

Details about what directory information should or should not be visible and to whom are being decided by the MCommunity Governance Board, a group with representatives from across the University community. The group prepared general recommendations to guide the use of data in MCommunity and continues to meet regularly to refine those ideas as MCommunity takes shape.

People Entries
When the current U-M Online Directory was created, Internet culture encouraged open sharing of information. Since that time, awareness has increased of the need to protect the privacy of personal identity information. Our peer institutions no longer display as much data about members of their communities as we do.

MCommunity will allow the University to provide varying levels of access to directory information. Those who log in to MCommunity will be able to see more information than the general public, for example.

Privacy of Personal Information. Whereas the current directory publishes home addresses and phone numbers unless individuals request otherwise, MCommunity will reverse this. Home addresses and phone numbers will not be published unless individuals request that they be made public.

Keeping Public Information Public. University employees will no longer be able to change or remove their official job titles as they can today. Space will be provided for individuals to provide a more specific or informal title in addition to their official title if they wish.

See the Governance Boards's recommendations regarding General Visibility of Person Attributes for details.

Groups
MCommunity will provide for group creation and management, but the tools for doing this will look different from the group-management tools in the current directory. Current groups will be moved from the U-M Online Directory to MCommunity. Details for groups in MCommunity have not yet been worked out. When they are, more information will be provided here.

^ Table of Contents

Departmental Roles Management

University units need to identify populations of faculty, staff, and students based on their University roles. A school might want to identify all the students in a particular program so it can give them access to licensed software or to for-fee online publications, for example. The current directory does not lend itself to this purpose, but MCommunity is being designed to do so.

Basic institutional role information will be included for individuals in MCommunity. This information will be provided by MAIS through M-Pathways. Individual schools, colleges, and units may use the institutional roles to grant access to services, or they may wish to customize them with additional criteria.

The MCommunity Governance Board has identified basic institutional roles for use in MCommunity. See the Roles Section of the Governance Board's Recommendations for details.

^ Table of Contents

Departmental Service Provisioning

Departmental system administrators will be able to use MCommunity to provision their own information technology services. For example, they will be able to use it when providing departmental server accounts to new staff. They'll also be able to use it to provide access to licensed online materials and more.

^ Table of Contents

Programmatic Access for Departmental System Administrators

Via the LDAP Tree
MCommunity will include a component designed for system administrators who rely on LDAP access to current directory data for unit systems and applications.

Staff members in many units across the University currently use LDAP command-line tools to work with data in the current directory. LDAP is also used by various services and applications for such things as user authorization. To allow staff to continue to use these tools and systems to appropriately access the data, MCommunity will include an "LDAP Tree"—an LDAP-accessible replica of the directory that is inside the Identity Vault. This will help units make the transition to the new infrastructure with minimal disruption.

The LDAP Tree will also be a resource for people who want to access directory data for their e-mail address books. Some e-mail programs can be configured for LDAP access to directory information.

Identity Management Access
Programmatic access to the identity management component of MCommunity will allow departmental system administrators to align their own systems to interact with MCommunity.
Direct Access to Departmental Data
This access will allow departmental staff to make batch and one-at-a-time changes to their departmental data in MCommunity.

^ Table of Contents

Data Sources for MCommunity

MCommunity's sources for data about people are these:
  • M-Pathways (PeopleSoft HEPROD Database). This MAIS database is the authoratative source for identity information about

    • Current U-M faculty
    • Current U-M staff
    • Current Ann Arbor campus students

    People who wish to make changes in their official U-M identity information that is stored in M-Pathways may do so using Wolverine Access. MCommunity will receive data from this source via a live data feed. Changes made to the data will be synchronized with MCommunity in real time. The current U-M Online Directory receives updates from M-Pathways once a week via a batch file.

    Keeping authoritative data authoritative. The current directory allows people to change authoritative data about themselves, such as their staff title, and to disable updates from M-Pathways. MCommunity will not allow this. Individuals can make changes to much of the authoritative date about themselves, such as addresses and phone numbers, using Wolverine Access. These changes would then be reflected in real time in MCommunity. MCommunity will provide space for people to indicate informal or more specific titles in addition to the official data.

  • Office of University Development. This office provides identity information for all living alumni via the Data Warehouse that MAIS maintains. Updates to this information will be provided to MCommunity once each day. Currently, Development provides updates to the U-M Online Directory once a week. Current updates are used only to add the "Alumni" affiliation to entries that already exist in the directory. MCommunity will have more information about alumni than the current directory does.

  • Dearborn Campus. The Dearborn Campus uses a Banner system for its directory of U-M Dearborn students. U-M Dearborn's Information Technology Services staff members are working with the MCommunity Project Team to figure out how to provide a live data feed between the Dearborn Banner system and MCommunity. A nighly data feed has been established for now.

  • Flint Campus. The Flint Campus also uses a Banner system for its directory of U-M Flint students. Flint students are not included in the U-M Online Directory. Staff members from U-M Flint Information Technology Services have begun working with the MCommunity Team. It is hoped that work done on the data feed between MCommunity and the Dearborn Banner system can be leveraged to make establishing a data feed between MCommunity and the Flint Banner system easier.

Data about groups will continue to be entered and managed by group owners.

^ Table of Contents

Additional Resources

The MCommunity Project website provides information about the project status, timeline, history, and more.

Visit ITCS's Information System to obtain ITCS computer documentation and other resources. A list of relevant documents follows:

We welcome your comments; please send e-mail.

ITCS's Online Help Desk provides a variety of computing help resources.

Please direct questions about the MCommunity Project to the MCommunity leads at MCommunity.Leads@umich.edu.

^ Table of Contents