Skip to Content

ITPG-IdM Meeting Minutes - 10/5/2011

Printer-friendly versionPrinter-friendly version

The following is my best attempt at minutes from today's meeting.

Not sure what happened to the list of attendees, but somehow it went missing. I think it looked something like this, but I know I've missed a couple.

Steve Miley - LSIT
Doug Drury - Admin Services
John Goubeaux - Education
Leesa Beck - Registrar
Andy Satomi - Chancellor/Senate
Bruce Miller - Comm Services
Karl Heinz - OIST
Tom Putnam - OIST
Randall Ehren - OIST
Noah Spahn - OIST
Matthew Dunham - OIST

E-Mail Address Promotion:

The first topic of discussion was on email address promotion for those with both "student" and "employee" affiliations. After a healthy discussion the group agreed that the best way forward is to change current policy and make commensurate changes to applications that use student email address. The new policy on email address promotion is as follows:

• If a person is an employee only, they can populate ucsbEmailBusiness1, ucsbEmailBusiness2, and ucsbEmailPersonal and select one of these as Global Mail (no change)

• If a person is a student only, ucsbEmailStudent is populated with their U-Mail address and can not be changed. Business email attributes can not be populated. Global Mail is populated from ucsbEmailStudent. (no change)

• If a person has both student and employee affiliations, ucsbEmailStudent is populated with their U-Mail address and can not be changed. Business email attributes can be populated. Global Mail is populated with a choice of ucsbEmailBusiness1, ucsbEmailBusiness2, and student (change).

Associate Demographic Granularity:

We spent a chunk of time discussing the needs for more granularity in the provisioning of miscellaneous demographics. Currently all affiliates are provisioned with the affiliation of "associate". For a number of reasons (security audit, ease-of-provisioning, etc.) OIST believes this broad affiliation should be refactored to more narrow affiliations that reflect actual relationship with the University, e.g. "visiting scholar", "contractor", "vendor", "library patron". It was pointed out that the downside to such a change is that applications that use ucsbAffiliation for authorization would potentially need to update their authorization logic as more affiliations are added. This topic wasn't seen through to decision.

Identity Annex Demo:

Matt demo'd the new Identity Annex application, which allows for delegated provisioning of guests and visitors. The rollout is potentially tied to the topic of affiliation granularity above, so it's not clear when rollout will happen.

Off-Campus LDAP Access:

By current policy we allow anonymous access to our LDAP service from off-campus. The only known use-case for off-campus access is email client address lookup (although this need can be met with VPN service). By exposing this service to off-campus, we're exposing our campus directory to email harvesters and other potential security risks. Matt suggested that this policy should be discussed to ensure that it's still appropriate, although time ran out before we could discuss.

LDAP Lookup for Non-Active Entities:

Although on the agenda, there wasn't sufficient time to tackle this topic.