Continue to provision from one enterprise dataset for person data - The enterprise dataset is derived from the IAM Identity registry and holds the essential person information that is used by the enterprise.
-
Use of the single IAM Registry-based reference dataset avoids the following problems:
-
Data silos and multiple versions of data.
-
Data errors that result from manual entry and maintenance.
-
Dated timeliness, including not knowing which data elements can be trusted.
At a basic level, master data management methods seek to ensure that an organization does not use multiple, potentially inconsistent versions of the same data in different parts of its operations. Master data is the consistent and uniform set of identifiers and extended attributes that describes the core entities of an enterprise. A single master dataset is necessary to provide accurate and timely information on Harvard people and resources. Coherence in the data stored across all directories must be established, maintained and synchronized through automated means.
-
Two enterprise directory implementations merging into one over time
Continue to use one UNIX-based LDAP and one Microsoft AD, which is necessary to meet the current set of enterprise directory requirements. Over time, consolidate to one AD implementation for enterprise directory services, including HarvardKey.
The current design of two enterprise-level directory implementations, one UNIX-based and one MS- AD-based, should be consolidated over time to reduce duplication of data and simplify the infrastructure by reducing the number of supported instances. A progressive approach is recommended, starting with migrating the UNIX authentication services to AD, followed by migration of person attribute information and then the remaining non-person data. At that point HarvardLDAP should be retired.
-
Managed Directories
HUIT should create a directory management service to allow schools and centers with existing UNIX-like directories the option of delegating the administration and operation of such directories to a central team with the level of technical expertise and resources required.
The decentralized nature of Harvard often results in high levels of duplication and complexity. The shared-services approach can combine the advantages of centralization and decentralization, achieving economies of scale and scope while remaining responsive to user needs. A directory service offering would allow some parts of the organization to reduce their operational level of support for LDAP directories while meeting existing local needs.
-
Local directories
Local, non-managed directories should be limited to those that provide application-specific or locally valuable directory services. These typically provide directory information in narrowly-scoped environments such as individual or small sets of applications.
The need for local directories that support specific applications and/or contain locally valuable person/resource data will continue to exist. Local data should be limited to those objects and attributes not contained in master or managed directories.
When differences exist in the business meaning of a particular attribute or set of attributes, local directories should extend the schema used in the master directory and avoid using the same attribute name(s) for locally different definitions, enabling synchronization with authoritative data at the higher level.
-
Synchronization of directory data
To the greatest extent possible, all directories should be automatically provisioned/deprovisioned using a top-down approach beginning with the IAM program databases and systems.
Consistent and timely provisioning and de-provisioning of information in directories is required for reasons that range from supporting a high-quality user experience for new employee on-boarding to rapid and secure removal/archiving of accounts for terminated employees.
Achieving this across multiple directories is almost impossible absent automated tools and standard processes. Provisioning of person information must be accomplished through a business service that automatically adds people to the directory. Manual addition of people should not be allowed. De- provisioning should be accomplished through the same business service. Provisioning and de- provisioning of technical resources should be accomplished through a similar business service.
-
Directory management
Consolidation of LDAP skills into one organization for critical mass and coverage.
Directory design, management and administration, for both Active Directory and UNIX-like LDAP directories servers, requires a unique set of skills. The University would benefit from an effort to identify and consolidate, formally or informally, staff with this experience in order to reduce duplication of effort and provide quality, sustainable services.