IFAS COMPUTER COORDINATORS
(ICC)
NOTES FROM March 10th 2006 REGULAR MEETING
A meeting of the ICC was held on Friday, March 10th, 2006. The meeting was chaired and called to order by Steve Lasley, at 10:00 a.m. in the ICS conference room.
PRESENT: Eighteen members participated.
Remote participants: Francis Ferguson, Chris Fooshee, Kevin Hill, Joel Parlin and Mike Ryabin.
On-site participants:
Tom Barnash, David Bauldree, Dennis Brown, Dan Cromer, Marion Douglas, Chris Hughes, Wayne Hyde, Dwight Jesseman, Winnie Lante, Steve Lasley, Ligia Ortega, Mark Ross and Jennifer Xu.
Guests: Mike Conlon and John Sawyer.
STREAMING AUDIO: available here
NOTES:
Agendas were distributed and the meeting was called to order on time.
New members:
Steve introduced Richard Faulk, who, in January, began providing IT support at West Florida REC in Milton. Richard reports that Allen Bond will be leaving WFREC sometime in the near future. Steve also mentioned that Brandon Hoover has been officially added to our ranks. Brandon provides Distance Education Support for Soil and Water Science, including responsibilities for their Breeze software. Brandon reports that Steve Bloom is expected to retire from that department sometime this summer.
Recap since last meeting:
Steve pointed folks to the notes of the last meeting. There is now an official web site for the IT Reorganization project which Marc Hoit had spoken on at our last meeting. Also, a DDD memo was released from the office of the Provost that specified:
"The university is announcing the creation of a university wide Chief Information
Officer (CIO). The CIO is responsible for leadership, management, vision,
budgeting, strategic planning, and implementation of UF's technology infrastructure
and services. The CIO is charged with improving UF's IT services and infrastructure
through coordination, integration and realignment of IT organizations. The CIO
provides direct supervision of the Office of Academic Technology (OAT), Computing
and Networking Services (CNS), UF's Florida Lambda Rail Operations (FLR) and the
Information Technology Advisory Council (ITAC). The CIO will report to the Provost.
Dr. Marc Hoit has been appointed to the position of Interim CIO. He will lead the
reorganization of central IT groups to become an efficient, cost effective and
quality service provider and begin the process of unifying campus IT services. A
search for a permanent appointee will be announced in the future."
A visit with Mike Conlon...
Steve introduced Mike Conlon, UF's Director of Data Infrastructure. Mike has been with UF a long time having received his PhD here in Statistics back in 1982--joining the faculty of that department upon graduation. In 1993, Mike joined the CLAS Dean's Office as their Director for Information Resources (a position now held by John Sabin), already cutting his IT teeth on a rather diverse and complicated organization--a trend which has only grown throughout the years. Some wonderful bits of Mike's history there are still available on the web.
In October of 1997, Mike left CLAS to become the Assistant Vice-President for Health Affairs - Academic Information Systems and Support at the Health Science Center. His job responsibilities there included coordinating computing and networking in the six colleges of the Health Center and supervising the Learning Resource Center, HealthNet, the Health Science Center teaching labs, and the Office of Information Technology and Services. That position gave him many IT opportunities and challenges, and was perhaps good preparation for even greater challenges ahead.
Then, in 2002, Mike was appointed "Director of Data Infrastructure" and worked with UF's ERP project to supply those systems which UF would require consequent to the move of UF from a state to a public institution. This led to PeopleSoft and the organization that came to be known as Bridges. Recently, in January of 2006, Mike was promoted to the position of "PeopleSoft Implementation Officer".
Mike prepared information on five areas with which he has considerable involvement: PeopleSoft, UFAD, Biztalk, the Vista implementation, and the IT Reorganization project.
PeopleSoft
Mike related how the project began in 2002 and went live in July of 2004. We have been dealing with change management ever since. In September 2005, the Provost, Jimmy Cheek and Doug Barrett asked for a summary of where we were and what we needed to do. They were presented a whitepaper on that and in December Mike was asked to lead the initiative. The project is currently involved in eight major efforts which are discussed in the two documents "An Agenda for University Business Systems" and "An Agenda for University Business Systems, Part 2":
- Grant billing is a major issue--making sure that UF can collect its $500 million from grants across the university.
- Grant budgeting is another--making sure that each of the approximately 6000 projects have individually administered budgets in the hands of the principle investigator.
- Currently there are about 1500 operational reports available, but that is not nearly enough.
- We need to make our data warehouse available in a timely manner. We have 1500 ETL programs running every night moving data from the transaction systems into the warehouse. Those processes take too long.
- We've worked on time and labor improvements for reporting time and administering time approval.
- We are currently rolling out changes to the screens and the processes of security that are used to perform job actions: hire-fire, job change, variable pay and cash outs. This is a big initiative under the heading "electronic Personnel Action Form" or ePAF.
- We will be changing the recruiting website at http://jobs.ufl.edu. This is currently not a very good "front door" for people seeking employment at UF. The current eRecruit tool will be replaced with a new tool called PeopleAdmin.
- We are working on improvements in training for the staff, business officers and the various other individuals involved in using PeopleSoft.
So we have a large number of very major initiatives underway. The current Bridges organization is about 120 people. About 20 people are involved in 24/7 operations. Another 20 or so provide support for the IT infrastructure: systems and database administration. The remainder are working to support the HR and finance systems, the warehouse, reporting, the portal, etc. Mike Corwin is the director of Bridges and Mike Conlon coordinates among Bridges, the core offices (Finance and Administration, HR and the folks that involved in the business processes) and the units and colleges.
Active Directory
Mike announced that Erik Schmidt has joined UFAD as their third FTE. Erik has a strong and successful background in system administration here at UF, formerly at VetMed and more recently at Academic Affairs. Mike said that Erik will start on Monday and that he has some transitional duties, including supervising the move of Academic Affairs to UFAD.
They are working on an interesting interface between UFAD and the enterprise systems. That project will take the PeopleSoft role authorization information and synchronize that out into various UFAD security groups. This will allow us to secure resources in the LAN environment based on authorizations that have been assigned in the enterprise environment. As an example, we have a WebDav file share that we use to provide production data from the production systems to authorized consumers of that data. The PeopleSoft system makes spreadsheets and those spreadsheets end up on file servers, so we have a WebDav file server that does that. Currently it is secured in a manual method--sort of by telephone--so it's like "Susie needs access to the file folder", "okay", then somebody has to run over there and do that. We already know that Suzie should have access to that file folder because of her role within the system, but we are replicating that authorization manually currently. We will be creating sync processes that will take the 500 or so roles that we have in PeopleSoft and reflect those out as security groups in UFAD. We will also be able to assign e-mail addresses to those groups and then be able to send e-mail to those having authorized access.
Chris Hughes asked if those security groups would be separated out like the autogroups so that we could identify UF directory liaisons who are from IFAS or who are from a department from within IFAS? Mike responded that he did not know, but that it sounds like a good idea. They haven't considered doing that, but it is something they could look at doing. Such a capability would greatly simplify how IFAS (and other UF units) could handle the granting of permissions and other iteractions, such as e-mail contact, with holders of these various roles within our organization.
Steve asked for further clarification about these roles. It was stated that the roles are assigned to UFIDs and managed in PeopleSoft. The roles are managed in two ways. One involves automatic sync processes from the directory; so, if you are an employee for instance, there are four or five basic roles that you get. Those entitle you to access the portal, to look at your pay stub, etc. The same thing is done for students and other affiliated groups. The second way we manage groups involves authorization processes that happen at the department level. We have department security administrators at the local level who make requests for particular individuals to have particular administrative functions. So, for example, suppose you have a new chair in your department and they need to be able to approve travel. That request is made by the DSA, it goes through a security process, and the chairman ends up with the travel approval role. The same things goes for principal investigators, etc. and somehow it adds up to 500 roles. That is how we administer security at the enterprise level and we have recording mechanisms and audit processes and all the things which go with systems like that. The point of this is that we will reflect that out into UFAD so we can use it for things like SharePoint security or securing file shares and doing other things which would help organize these folks and give them access to resources based on their authorizations. WebDav is one of those things that will get that early on.
Another thing on the drawing board is Cognos. We use the Cognos Business Intelligence software for our business reporting solutions. Again, the authorizations in Cognos and those in PeopleSoft are kept in sync manually. That can all be done through UFAD. So again, we have the role information in PeopleSoft, and we walk across and tell somebody in the Cognos world we just gave this to that and they have to double-enter those and hope we get it right. We can replace that all with synchronization processes controlled by UFAD. These things are on the drawing board for the coming year.
BizTalk
We are about a week away from going live with the production system. We have a Microsoft engineer coming on-site next week to help us with the actual final deployment of the production systems. This is an infrastructure project that puts new servers in place--a new SQL cluster backend. All that is in place as an infrastructure for supporting Service Oriented Architecture messaging and eventual improvement in access to enterprise information by local applications.
The first applications based on that infrastructure will be the account management applications, the revamping of Gatorlink username and password management based on a consistent, modern system application architecture. Some of the outcomes of that project will be a 16 character Gatorlink username and sun-setting of accounts based on affiliations. Right now we have a rather ad hoc undefined method for who gets an account and when that account goes away. We have worked through the policy statements regarding affiliation and accounts so we know who is entitled to have a Gatorlink and when they are and are not entitled to that. This is all potentially in the hands of local folks anyway because we have an affiliation called "Departmental Associate" that is department controlled. So if the department steps up and says this person is a departmental associate, as long as they are then the Gatorlink account will be there. But the new processes will create an automated expiration of accounts based on affiliations going out of scope. We have never had that before, but rather have relied on the departments to get rid of Gatorlinks when a person is no longer supposed to have one. That works in a very uneven manner across UF and is actually the stuff of quite a bit of urban legend. So, if you ask people when Gatorlinks go away, you would get a wide variety of different answers--some of which are true. So, with affiliated expirations of accounts, we think we can create the environment that some people think we already have.
We will also be moving to SOA for exposing information about account status to authorized recipients. So local applications and service providers that need that information will be able to get it via web messaging.
Steve asked if there is a timeline for this project. Mike responded that we will have a formal timeline pretty soon. We are going to formally announce the restart of this project, we have about 80% of the coding finished, and Mike expects that the actual implementation of this will be completed in about six months. There are some serious business cycle consequences of when things can be done and how things get moved over in regards to collision with the Fall term. These large-scale timing issues need to be worked out, but the formal restart will occur within a week or so, followed quickly by the formal timeline.
Steve asked about who is involved in the technical aspects of all this. Mike responded that this is actually an eclectic group of people from Bridges, people that work for Mike, people that work in UFAD, people on the PeopleSoft side, people who work on the portal, people at CNS who are involved with Kerberos and support systems there, as well as people at Academic Technology who are involved with systems. It touches a lot of things.
There are business processes that must be accounted for because one of the other things involved in this is a change in the guest account processes. Mike stated that they had requested and received feedback from people about the guest account and how that is used in processes all over the university. Mike found that to be a fascinating collection of stories about who uses the guest account, how they use it and how it gets shared around the university. We heard from people all over the state in IFAS on how they use the guest account. We heard how it is used to authorize wireless access for people staying overnight in the Reitz Union. There are all kinds of use cases around the guest account and a fair amount of change management that has to happen around new processes for guest accounts which will not include password sharing. It will include the ability for a large number of people, but authorized people (e.g., all faculty), to be able to create guest accounts for other people. There are all kinds of issues about how we will handle bulk and how we handle conferences--just a lot of issues of how we create appropriate business processes and support around guest accounts. The basic goal, however, is to get out of the shared password business around guest accounts. This is also a part of the Gatorlink account management process.
Mark Ross mentioned the problem that IFAS has with guest accounts in regards to the Master Gardener program. Mike said he had become well aware of that logistical problem.
Vista
Beta 2 of Vista is due in April with release to manufacturing in August. General availability through Dell, Lenovo, etc. will be in October. So this is actually moved up a couple of months from what we had heard about a month ago. We have a project going on and there is a public meeting next Thursday 10 AM in the J. Wayne Reitz Union Auditorium where we will be talking about Vista in depth for about and hour and a half. There are four themes around the Vista planning deployment that we are trying to make sure we address.
- One is user experience. We have an opportunity to study this and actually make it work right for our customers. Vista has a power management feature called "instant on", for example, that Mike feels could save UF about $2 million if deployed properly. So we want to think through carefully how Vista will be for our users.
- Security is another consideration. There is a particular full volume disk encryption technology within Vista called "bit locker" for encrypting hard drives and then unencrypting them using dongles and PKI. If that is not deployed in some organized fashion then we would really have some kind of a mess.
- Deployment is another concern. Mark asked if there had been any consideration to getting standard custom image builds from vendors. Mike responded that people have had mixed results with that. IFAS is interested in SMS and UF is interested in what we can provide centrally to support the coordination effort for deployment. For some folks, buying a pre-packaged machine with a university image on it and a university application set may make sense. Mark pointed out that some departments don't have support and Mike responded that he was very aware of that fact. He said that very little had changed at CLAS, for example, since he had left: 23 departments with varying degrees of support.
- The forth main theme is application compatibility. UF has thousands of applications, some of which we are pretty sure will work (like MS Office applications :-) and then it goes down from there. Consequently, there will be effort around that issue.
Kathy Bergsma will be involved in the security angle. Mike has also talked to Ken Osfield from the ADA office, and he will be involved. We have a group of people that are coming together around this to try to get a better result than we have gotten in the past with OS rollouts.
Steve asked about students being added to the Microsoft Campus Agreement. Mike related that Core CALS (client access licenses) are now covered (paid for by university funds), but that does not include OS upgrades or MS Office. This will, however, allow us to continue to offer services that we had been doing under special arrangement. John Sawyer asked if there was a push to get the OS and office licenses for students. Mike responded that this was a money issue. Mike thinks everyone agrees that this would be better, but our fortunes in that seem tied to student government that changes every year. A new administration was just elected which we haven't met with. The administration which is going out of office right now did not have this on their agenda. The administration before that was very, very interested--so interested that they wanted to fund the entire thing themselves out of student government. Chuck Frasier and Mike Conlon actually talked them out of that because it would have essentially eliminated all their discretionary funds. Mike does understand that the new administration had fixing web mail as one of their campaign planks, so they must have some view of technology. So we will see, but our efforts in coming up with creative funding methods for that so-far have not been fruitful.
IT Reorganization
Mike is very involved with this and he talks to Marc Hoit all the time about it. Mike has his own responsibilities and views on this matter. He sees what has been proposed and what is actually being discussed as breaking down into three topics which are potentially separable.
One has to do with the job description of a CIO. Mike reports to the Senior Vice Presidents as the PeopleSoft Implementation Officer, and they are interested in having a better university. They look around at some of the chaos and it looks like an opportunity to improve things--but that is about the level at which they understand it.
So, it is important that the conversations move forward about what a CIO would do for a living--with the eventual goal of having a job description for a CIO that would include responsibility statements detailing what the CIO does and does not do. That hasn't happened yet and is an ongoing conversation and is one element of what is being discussed.
The second element has to do with the budget. Depending on who you listen to the IT budget shortfall is anywhere from $5-8 million annually. Officially we may be at $5 million in the red, but that doesn't include $1 million in unfunded required maintenance in classrooms. We have to do that, it is not optional, so we might as well say that we are $6 million short. According to Network Services we are also about $1 million short in terms of being able to provide wallplate services for everybody. Apparently, it is not agreed that we will provide wallplate for everybody and that is still under discussion. The thinking is that, if we were, we would need another $1 million to do that. And then there is a third $1 million that has to do with new services. We have proposals to create new services, but no money to create those. If we are $5 million short, that $5 million is only to do what we are currently doing--not to provide anything new. So, that all has to be clarified and Mike feels this is a front-burner issue. We just can't go into another year without knowing how that is going to get resolved.
Dwight Jesseman asked about the budget problems at Academic Technology. Mike responded that this resulted from a multi-year effort to build-out technology in the classrooms started by Lombardi and Capaldi. That effort was funded and implemented. Now, seven years later, you can walk into classrooms and there are projectors, podiums and laptops--all kinds of gear. But there is no maintenance budget. So we have put all this stuff out there, and it gets old and dies and goes away. They need to institutionalize the replacement of that and it just never happened.
So there are serious budget issues that need to be addressed. Mike said frankly that some of the structural things that occurred as a result of PeopleSoft have not been thought through from the budget perspective. For instance, a few years ago, IFAS had a bulk-rate contract with the datacenter to provide mainframe services to IFAS and get a bunch of reports off the mainframe. IFAS is smart. They looked at that and said we get our reports out of PeopleSoft now, and they are free. So we don't need a bulk-rate contract for IFAS with the datacenter--so they cancelled it. The same thing happened with the Health Center and with other people. Consequently, the datacenter looked at a budget shortfall and were no longer doing the work which they used to be doing. The work goes away and the money goes away--then what happens?
Mark Ross mentioned that reports are costing departments plenty. He is having to fix printers now because they are wearing out from printing reports. Mike responded that this was an interesting application of business processes and that he wasn't entirely sure why they might be printing out such large numbers of reports. Mike realized that Mark is just the unfortunate recipient of those decisions. Before PeopleSoft, UF had 17,000 budgeted entities (i.e., pots of monies that accountants took care of). Once PeopleSoft was implemented, people saw the opportunity to organize things the way they wanted and now we have 85,000 pots of money--every one of which comes with multiple reports.
Then the third thing regarding the proposed reorganization, which Mike believes has kind-of drawn all the attention, is services. What services should IT be providing on campus and how should those services be organized? Mike thinks that some things in the service area are relatively straight-forward and other things are really not. There are likely to be some things that can move faster than other things. Mike was interested to hear Mark Hoit say that some of these things may take 5-10 years; Mike believes that is right. There are discussions which we just haven't started. What is in and what is out, what happens first and what happens next, and what are the services and who gets what, and what do I do and what does this mean to me? Mike thinks that those are just huge tremendous issues that are going to require extensive facilitated conversation.
Mike believes these are three major factors in the proposed reorganization and they are potentially separable from each other.
Questions and Answers
Steve asked which version of Vista we would have access to under our campus license. Mike responded that we actually have access under that contract to all the versions--of course we would not want to deploy the home version on our campus. Mike wanted to make sure we understood that the current February CTP is intended for professional IT use only--so it is premature to have Vista in the hands of end users as it is still beta code and has issues of all kinds. You don't really want to be generating negative end-user feedback at this point. It is not an end-user product yet.
Steve mentioned that one of the questions that arose in his mind as Mike was talking about all these matters and projects is where do people find out about how some of these things get decided, get information on them and possibly get input into them--in other words, transparency of the whole process. How is that being handled? Mike responded "not well". We have a number of committees, but we probably need more places for people to be involved in the exchange of ideas about all of this. He said he could go down the list:
PeopleSoft: Wow! We really don't have advisory structures, input structures, facilitated conversation--anything. That is one of the reasons that they turned to Mike in December and said fix that. Of all the areas we have talked about, that one is actually the furthest behind in terms of mechanisms for people to get involved and be involved in what is going on there. Mike said that he has some ideas on that and there will be things done to improve that.
Mike realizes that this is a huge issue. There was very much a culture at UF around that domain of activity that really was of the mindset, we are going to write a memo and you are going to read it and do it. That's just not good enough. We just can't operate that way any more--it's just too complex for that. Mike believes that the IT folks have understood that better than most; he believes there is more history in IT of this kind of exchange at least, and people coming together and talking through issues and trying to figure out the consequences of making various kinds of changes. Mike thinks that on the business side there was a more command and control mentality. With complex integrated systems, it just can't work that way. The idea that there is a three-way conversation between the people who actually operate the systems, people who are responsible for the business processes at the university, and the people who execute the processes of the university--those three groups haven't talked, and they need to be talking all the time. We have just not gotten there.
- Active Directory: We have committees. We have a technical committee, we have a policy committee (for current membership see here at the bottom). There are opportunities there and BizTalk is part of that initiative; in some ways, so is Vista.
- Vista: The communication about Vista, outreach and coordination is going through the AD structure. We'll end up with monthly public meetings around Vista where we can discuss how it is going, with the first of those being next week.
- IT Reorg: That needs its own dedicated structures for organized conversation. Mike's understanding is that Marc Hoit has some ideas about that and that he will be making announcements about how he wishes to proceed with that. That is a whole other separate topic.
When it comes to access to the senior leadership, you all have it. There are the President and the three Senior Vice Presidents. The President is focused on the strategic issues and the operational issues fall on the Senior Vice Presidents. They are very engaged and Mike has been very impressed with their willingness to commit and engage on topics that are new to them--the PeopleSoft implementation for instance. That is not what Doug Barrett signed up for--he is a pediatrician--but his involvement in that has been extensive because he understands that the grant business has to work. This is a cash-based business and people have got to get paid. If that thing is shaky, then the university is shaky. Our senior administration is very engaged assuring that resources go into the right places, that people do what they said they were going to do, that we are doing the right things, and holding people accountable. Jimmy Cheek and Ed Poppell personally led the reporting taskforce to identify the financial reports that would be needed. They sat at the head of the table and they got the chief budget officers and financial people of the university together and said: seriously, what do you need. We have to stop complaining about it and we actually have to roll-up our sleeves and design something and build it. They were personally involved in that and remain so. Mike finds it impressive that such people who seriously have so many other things to think about would be so engaged in those kinds of processes.
Steve related that he had been looking at various ITAC meeting web sites and had found only one that posted minutes: the ITAC-DI & ADM committee (for data infrastructure and administrative computing resources) chaired by Steve Spritz, University Registrar. Steve asked Mike what his opinion was on getting that to be more universally done. He wondered if that was seen as having a negative value because it discourages frank discussion at these meetings. Mike responded that he thinks it very important to have open processes and posted minutes. He conceded that the Active Directory committee has not done that and admitted that as a personal failure. At the same time he stated that he is a busy person, but he would like to see minutes posted from all the committee meetings. [Perhaps when committees are formed they should be automatically staffed with admistrative support for doing that?]
Mike then took the opportunity to correct something from the last ICC meeting, which he conceded was probably correct as stated, but which left a negative impression. The notes from the ICC meeting said that IFAS "had offered to do streaming of their [Active Directory] meetings for them and were declined." Mike said that what actually happened was the camera crew showed up unannounced and the committee had never discussed that video would be used at the meetings. Mike thinks that the committee is perfectly willing to have video at the meetings if they are given the chance to consider that and what it means to them, and to approve that. Mike thinks we can certainly take another look at that and have the result that everybody might expect. Steve thanked Mike and said he was very impressed that Mike had read our meeting notes. Mike said he wasn't quite so optimistic about minutes at those AD meetings, because he knew exactly where that problem lies [implying his lack of time to attend to that]. Chris Hughes asked if simple audio streaming might work there, and Mike thought that would be fine.
Chris Hughes and John Sawyer both asked about the significance of Bridges being quickly removed in a correction of the original DDD memo on the creation of a university wide Chief Information Officer. Mike responded that nothing has changed from the way things were before that announcement last Friday. That memo actually describes the situation just as it is and has always been. Mike said that, as had been described, he came up through the ranks. He was one of those faculty members who was responsible for his department's IT at one point. He was a UNIX root administrator in the old days, and did a bunch of Ethernet wiring. In those days he always thought "everything is really muddy down here and I don't understand how any of this works, and someday it will be much clearer". Mike said it doesn't get clearer. It's muddy all the way to the top. Mike is looking around and he has conversations with everybody involved at that level and it is no clearer there than it is anywhere else.
Mike stated that he has responsibilities as stated in a DDD memo regarding PeopleSoft. He is very much involved in the IT Reorganization. Marc Hoit signs Mike's paycheck. All of Mike's work and all of his accountability goes through the Senior Vice Presidents. Mike Corwin, who directs Bridges, reports to Ed Poppell. Mike is responsible for making sure that Bridges does what the Senior Vice Presidents want it to do. If that isn't clear enough--sorry. Steve added that it sounds like a pretty tough job. Mike responded that there is a lot of negotiation, there is a lot of listening and there is a lot of trying to understand how things really are and how we can make them better.
Dwight Jesseman asked about UF's budget being a zero sum game. If we see a deficit of $5 million, and we go through this IT Reorg, then where do we get the cost savings? Mike responded that budgets are interesting. Mike stated that he is definitely a "glass-half-full" kind of a guy. When he looks at that problem, he feels it is a solvable problem. It turns out, though, that whenever you think about a budget, there are two ways of dealing with it: put more money in or spend less money. Both options are available, along with any combination of each. Mike doesn't think that just putting more money in would be using all the options available--so he feels more thinking is needed there. If you are losing money, you can't make it up on volume. Steve stated that the other side of that is you can't keep saving money until you don't do anything. Mike said there is work that has to be done and we need to figure out what that is. That is the zero based budgeting concept is: figure out what work you MUST do and figure out how much money you MUST spend to make that work. You cannot look at the cost-to-continue constantly--which is sort-of where we are now: "I spent $19 million last year and I'm $4 million short." That's not thinking hard enough--we have to do better than that.
Chris Hughes asked what is being done currently by the UFAD group to remove locally assigned permissions. Mike responded that he knows of no changes being planned in that area. Chris said it was good to have that matter clarified as there had been indications to the contrary.
Chris then asked about how UFAD fits into this reorganization. Mike responded that no changes in the organization of Active Directory are anticipated at this time. There are reasons that it is organized the way it is. There is a whole topic of identity management at the university that Mike believes people are coming to understand better. Identity management is very important. We need to know who is at the university, how do we know that they are at the university, what are the credentials that they can use, how are they affiliated--all that. Those things cut across everything and that body of work needs to be done well. Part of Mike's job is to make sure that it is done well. So, structural changes to that will need to be considered against the ability of the university to provide those services. For example, the account management project will change some of the organizational responsibilities regarding identity management--frankly, it will consolidate it so that fewer offices are involved and the work can proceed in a more organized fashion. The same thing will happen regarding LDAP. It has been on the list to provide LDAP services from Active Directory. That's important because it will provide consistent LDAP services that we understand and that have an appropriate "pedigree". Having those kinds of services distributed across offices was never a good idea and it will take some time to get them into an office that is organized and collected around identity management. Consequently, Mike has been somewhat amused about conversations regarding structural changes there. We are proceeding to deliver services and to organize identity management at the university.
Dennis Brown said he has been very pleased with how we can now go to the GAL and everybody at the university is there. Dennis wondered what LDAP would give us that we don't have already. Mike responded that, for people using the GAL, probably nothing. But he also mentioned that the university is a really big complex place and some people use those LDAP services and they use them for other things. Understanding what LDAP is used for and how the service can be improved is important.
As one example, Mike talked about phonebook.ufl.edu. It is sort-of an obvious thing that we should be able to go to a web site and find people--but it hasn't been that easy. That system currently uses LDAP as its data source. In the current implementation, that's a bad idea. There has been talk about remodeling phonebook to do something fairly radically different, and Mike thinks we will eventually make this happen. Mike said this is an idea that we have no project behind. We think that the phonebook could be hooked up to a set of web pages that were automatically maintained and searched by the university Google engine. So, rather than using the kind of awkward, clumsy LDAP search capability that we have, with the "un-pedigreed" data source we are using and with the complexity of how the data got out of the UF Directory and got into the LDAP, and our inability to represent the university structure properly in LDAP, we think we can get rid of all that. We think we can use MIIS to provide a set of either public or internal web pages that are used to support phonebook and just have web pages that are written and re-written by MIIS whenever there is a change in the directory and then use a Google front-end to get all the power of Google in searching for people at UF. Technologically, this is very straight forward--we know exactly how to do that. It would allow you to do such things as enter a search like "conlon -student" with Google syntax; or type a person's name and "now technology" and find out that they had put that in their keywords. These are problems that the university has had for years and we are very close. We are making some progress to getting the offices organized properly so that work can be done without all the "whose is that" conversation. There are a number of applications which use LDAP authentication at UF and we would like the LDAP to come off an ADAM-based service out of UFAD so we knew exactly what is in there and so that we knew that the authentication that was coming off of LDAP was identical to what is coming off UFAD.
Steve ended our visit with Mike Conlon by expressing our appreciation for him taking the time to be with us.
Policy
The next ITPAC has been scheduled for May 1st
Steve related that we have been charged by Joe Joyce with providing feedback on the Infostructure Taskforce report to ITPAC. We can do as little or as much as we want to on this, but we have an important opportunity to look at that and provide feedback. This is something that the ICC has not been traditionally very good at, but Steve encouraged everyone to look at that report. If there are projects that are of particular interest to your chairs or faculty, we should earmark those. We should find out which ones have the most bang for the least bucks and that can get done. Steve believes there is an opportunity there and he wants to encourage ICCers to do that. ITPAC is going to have a fairly important role on following up on that report and because we have a seat on ITPAC, we can have influence there.
Projects
Trailer for IFAS-ALL-L explaining the nature of the list
This item is listed on the agenda as completed. The intention is to move any completed projects the top of our agendas for one last hurrah before being retired.
Dennis Brown suggested that the trailer might be moved to the beginning of the message so folks would actually see it. Dan Cromer indicated that this had been considered, but that it was felt it would annoy too many people by forcing them to scroll down past it to read the actual message each time.
Dennis then thought that the better issue might be who can post to that list. Ligia Ortega has been investigating other blog-based options for certain categories of announcements that might alleviate the need for many of the postings altogether--though this investigation is at a very early stage. Administration has not wanted to moderate this list, so many feel that we might separate the IFAS-ALL-L, for example, into two lists: one that would be opt-in for the peanut and plant sales, etc., and another that would be for official announcements. We would still need to determine who could send those official announcements, however, and control who had the roles to do that. Steve can raise this issue at the May ITPAC if all agree. It is really a policy matter and would be more appropriate for that venue.
Switch deployment
Chris Leopold has been very busy replacing switches around the state with the help of Ben Beach and others. The first week out, Ben and he drove 1229 miles, visited 14 remote sites, deployed 20 switches, re-located the network drops in Dixie CEO and resolved various network/PC issues at PSREU. The second week, Chris and Ben visited five more remote sites in the Northwest District, deployed six switches, and installed wireless at PSREU. Finally, this week they have been working at:
- Indian River CEO:
- Re-locating 12 Cat5e drops to new location
- Re-locating switch, Multi-Purpose Server and Domain Controller
- Deploying new HP2626 and UPS/li>
- St. Lucie CEO:
- Re-terminating 50 drops on a new patch panel
- Re-terminating fiber
- Deploying one HP2650, two HP2626 and UPS
- Vero REC:
- Installing HP2524 in new building
- Installing fiber connection/copper - If available
- Dade CEO:
- Deploying new HP2650 and UPS
- Homestead REC:
- Deploying six new HP2626 w/UPS
- Re-terminating fiber
With the completion of this work, the remote switch deployment project should be complete.
Exit processes, NMB and permission removal
Prior exit procedure discussion. At our last meeting, it was mentioned that Dan Cromer is working on this issue with Mary Anne Gularte, Director of the Office of IFAS Human Resources. As part of that, Dan has tasked Dean Delker to develop documentation on everything a new employee needs to do to use technology, starting with getting a UF ID, GatorLink account, PeopleSoft Roles, IFAS Directory entry, IFAS mailbox, etc. This is to be integrated with documentation provided by IFAS Personnel for all other new employee tasks. Paired with this will be like documentation for leaving IFAS, which will then be referenced by personnel on an exit checklist to be completed by the departing person's supervisor or other appropriate person.
Once we get the basic info available, the ICC will need to review that, provide suggestions, and revise as is appropriate. Dan is still working with Mary Ann on a process to get the lists of new and departing people, which would then be disseminated to those needing the information.
The goal is to tie IT staff into the exit procedures sufficiently so they we are informed as people leave and can handle removing their access to various computer resources.
Dan Cromer wanted the ICC to know that he supports the suggestion that OU Admins have access to the NMB relation and be able to control that themselves for their unit. Dan wished there were finer granularities so that single function could be delegated. Currently, a single directory role is assigned that gives you broad relationship control over all those in your unit; the right to modify the NMB relationship can not be delegated individually. Documentation is available on the secure portion of the ICC site explaining NMB handling on hire and fire and how to obtain the rights to manage the NMB relationship.
Dan also wanted to clarify the terminology. Properly, we should use "directory liaison" to indicate those people who have rights to manage their unit's entries in the IFAS Directory. "Directory Coordinator" is the term used for those who can manipulate the UF Directory information similarly. There are units where these two directory systems are managed by separate personnel, although Dan is and has been trying to correct that. Currently, some IFAS Directory Liaisons do not have the appropriate role for being UF Directory Coordinators.
The long-term goal is to merge the two systems and do away with the IFAS Directory Liaison role. Currently, however, there is information in the IFAS Directory system that is not reflected in the UF Directory (e.g., notation of specialty and teaching/research/extension roles). If those cannot eventually be handled by the UF Directory, then we may need to maintain a system which joins our special info with that from UF indefinitely. That does and would allow us to control the format of how that information is delivered and that is seen as an advantage--at least in our current situation. We do need to move away from shadowing information for which the authoritative source is elsewhere, however, as much as possible. The UF BizTalk project may give us the tools to make a dynamic connection between our two systems in the not too distant future.
Dan mentioned that part of the problem is the lack of personnel to work on this project. Dr. Xin's time has been monopolized by the DDIS and Florida SART projects currently. The intention is to work on this when we can, however. Currently, we also use the IFAS Directory for various distribution lists and that is another complicating issue which must be considered. Moving to an Active Directory model for doing that (using Exchange lists rather than listserv lists) would be desirable, but we just haven't had the people to do that either.
Dan also wanted to remind us of a change which he had posted about to the ICC-L on February 24th: "All OU admins should be aware of this change, which will provide job action notifications to the unit department security administrator (DSA) for PeopleSoft. If you can set up a relationship with your unit DSA so that he/she sends you a copy, we can get a better handle on hire/terminate processes. The next step would be to include OU admins in the same e-mail system so that you'll get them along with the DSA." This should be very helpful, security-wise. We need to remove folks from their associated roles, including the NMB if appropriate, as part of their exit process and this can assist us in doing that--if we take advantage of it.
Dennis wanted clarification on how permission removal works via the permission removal site. He had used that and noticed some things remained as pending. Chris Hughes explained that one of these processes runs continually every 20 minutes. If you believe there is a problem, please contact him. Dennis' particular issue may be that the computers containing the resources to be removed are turned off. Also, there is no cleanup for computers that no longer exist--partially because we don't do a good job of removing those from UFAD. Either of those could lead to items remaining as pending.
Vista TAP
We had heard some things about VISTA earlier from Mike Conlon. There will be a Windows Vista TAP meeting next Thursday, March 16th, at 10 AM in the J. Wayne Reitz Union Auditorium. Dom Vila, Senior Microsoft Consultant for the UF TAP program, will be introduced. The meeting will cover goals and objectives of the program, its timeline and how folks can participate.
Chris spoke briefly about the plans for deployment of VISTA within IFAS. There are going to be WDS servers on campus and at every site which has a multi-purpose server. These will deploy Vista and we will have SMS with packages for the most common software packages within IFAS. Thus, when a new machine comes into IFAS in the future we will be able to just plug it into the network and a base image will be applied, after which SMS will install applications as desired by the various units. The SMS install is planned for mid-April and WDS will be deployed when Vista is released in August.
Dennis asked if these images would wipe out what is currently on a computer. Chris responded that he is looking at the Microsoft Solution Accelerator for Business Desktop Deployment version 3.0 that is currently in beta. This solution will take an XImage backup of the machine and store it locally if there is space, or otherwise on the network. It will then do a user state migration, placing all the user customizations in that backup as well. Vista will then be loaded from scratch, the system state will be restored and SMS will come in and install the applications. Should there be a problem, we will have automatic rollback to the backed=up image. All patches in Vista can be added to the base image using a merge operation that will be done every month. The patches for software applications will get added to SMS.
Chris believes we can use a single base image with customizations being handled via GPO and SMS. Bit Locker might require a separate image. In either case, Chris expects to use the Enterprise version of Vista. A base install for Windows XP will also be available.
Chris mentioned that the hardware requirements for Vista are fairly significant. There is going to be a standard recommendation at the UF level which will include processors, memory and video cards needed to run Vista well. The goal is to try to not deploy Vista on anything which doesn't meet those criteria--especially the video card issue. Wayne Hyde mentioned that requirements for high-end video are going to have a significant effect on UF's power bills.
Removal of WINS
We had planned to remove WINS the first of February, but Chris Hughes discovered that a number of login scripts still used old netbios names. Chris assumes that other links like printers and drive mappings to those also exist elsewhere. Consequently, Chris wrote a script which was intended to be added to the IFAS login script on March 6, 2006. This script (ufad\if-admn credentials required) will enumerate all drive and printer mappings and record them in a SQL database. This database will then be queried to identify problem NETBIOS names and a script will be developed to correct these problem names.
Unfortunately, Chris has had to devote his attention to the new SQL server and could not get to that. It is now planned for either this weekend (time allowing) or March 28th.
Listserv confirm settings
Approval has been obtained from administration for doing this, but we are still awaiting documentation prior to any notification and implementation steps.
New IFAS IP Plan
Chris Leopold is out in the field working on the final switch deployment issues, but he left information with Steve on this matter. The new IFAS IP plan his next big project after finishing the switch deployments. We need this done ASAP because of our upcoming Microsoft SMS implementation project scheduled for mid-April. That application is subnet-centric, so we must have the IFAS re-numbering done by that time. Marcus Morgan has released the necessary public IP addresses to CNS and Chris has promised to have this project done and all of IFAS's current IP addresses returned (excluding; 128.227.242.0/24 and 128.227.68.128/25) to UF by no later than the end of April. Marcus relayed that this is a major investment of IP address space on his part, but that it offers both a very good return of public numbers to him and promises improved order and structure to IFAS. Marcus has requested a completion schedule with weekly progress reports via e-mail.
Move to IF-SRV-WEB
Chang Lin, programmer assigned to this project, has completed the software program that enumerates the local FPSE groups on IF-SRV-WEB01 and IF-SRV-WEB02 and populates the appropriate AD global website administrative groups. This now means that all dev-websites will soon have the proper permission assigned. Once that is done, these global groups can be mail-enabled and an announcement can be sent to the website administrator about the migration.
New File Server
Dwight Jesseman reported that space on \\if-srv-file01 was getting tight and that he would be forced to set aside other projects to address that issue. There had been some issues with a UPS for the new file server, but those have been resolved and it has been built and they are in the process of moving folks to it--initially Plant Pathology and WEC. There are some groups, like IFAS IT, for whom that move will entail a considerable amount of space (on the order of 100 GB). Dwight will be trying to work with some of our larger clients (FSHN, OCI, Ag Eng, Cals, and 4H for example) to identify which groups will be moved and when. Other groups who want to make use of that server should contact Dwight.
DFS is used for the mapping in the logon scripts and for client access to the server. As an example, for Entomology, the specification would be "\\ad.ufl.edu\ifas\entnem". The structure beneath that is envisioned to include folders for "public" (for things to be shared with other users within UFAD), "unit" (for things to be shared within the unit only), and "users" (with individual permissions for each user). Mark Ross mentioned that this is working great for his unit.
Remedy Project Update
At the last meeting it was mentioned that we are on the last developments steps prior to announcing the availability of this system to all of IFAS. This involves the creation of a means for OU Admins to control ticket assignment and e-mail notification for tickets which are generated by individuals within their respective OUs.
Dwight reported that there is now a web site which has been created where OU Admins may go to for controlling this (that site name will be withheld from these notes until the security of it has been more carefully considered). If there is more than one admin within your OU, you will be able to select a single person to receive ticket assignments--or you can choose to have those go to the Help Desk. Those who elect to receive assignment will also receive e-mail notifications. If you are not having tickets automatically assigned to you, you can choose whether or not to receive just e-mail notifications. This will allow OU Admins flexibility in how they participate.
Dwight said that Adam Bellaire is working on the programming at the Help Desk side and once the notification linkages are complete, Dwight will come back to use for final approval for notification and deployment to all.
New SQL Server
This has been built, is in partial production currently, and will be in full production this afternoon.
Operations
Continuing cleanup of the IFAS e-mail routing system
Dwight mentioned that he has a current list of people with both a UF and an IFAS mailbox, but who do not have a forward set to IFAS from Gatorlink. This is not compliant with IFAS policy 6C1-6.150-4. Those individuals will be notified that, in lieu of opting out of their IFAS mailbox, a forward will be set for them. Since people may always go in and clear that forwarding themselves, this highlights the need for a UF-level "Mailbox Managed by" attribute as proposed by the UFAD technical committee. This will be a continual administrative burden until such a thing is available. On the other hand Dwight mentioned that this matter inconvenienced only 104 during the mail changes. Steve agreed that the e-mail transition had gone marvelously well with very few end-user issues.
DHCP Callout
Wayne Hyde mentioned that, while this isn't a current project, we do wish to continue having discussions on what we can to do to control access by non-authorized computers to our network. There are various issues here, including making sure all public accessible ports are configured properly. The possibility does exist to control DHCP IP assignment from a managed list of MAC addresses--giving authorized machines access and putting others in a sandbox VLAN of some sort. One method to manage those MAC addresses would be to use ePO and possibly join that info with an additional set (for machines not using ePO) that could be controlled by OU Admins via a web interface. MAC spoofing makes this a somewhat weak security solution and better solutions have major costs which we cannot afford at this time.
It was suggested that we continue this discussion via the ICC-L. Dennis mentioned that his postings to the ICC-L often get private responses. Steve said that folks are often shy about responding to the list, but we need to continue to encourage folks to post responses there so all may benefit. The attitudes expressed in those posts can do a lot to encourage or discourage that, so let's give careful consideration to that.
John Sawyer mentioned that the difficulty is doing this within the Windows environment using Windows DHCP. There are free solutions for Linux for example and a number of places on campus (Shands, HSC and CIRCA) have implemented that.
Local admin password automation
Chris Hughes implemented this for Entomology at Steve Lasley's request. Steve has produced documentation (ufad\if-admn credentials required) on how this is accomplished. The intention is to eventually make this available for any unit who wishes to use it. Steve reported that it works well overall and has greatly alleviated his concern over his former local password management system.
Computers with passwords older then 83 days
Chris Hughes would like to automatically remove machines whose passwords are older than 90 days. This matter was discussed via the ICC-L, but never implemented. There seems to be some misunderstanding of the relationship between machines on this list and whether or not these machines have expired accounts and must be re-joined to UFAD anyway.
Chris clarified this, saying that if they have been turned on during this period, but have been off our networks (as is often the case with laptops that have been taken home, for example) then they will have expired machine accounts. This is because machines change their passwords every thirty days and if they have done this twice, they can no longer authenticate to UFAD. Machines that are connected to our network, but which have been off for 90 days, will show in list but still have valid machine accounts. Those machines will continue to work normally once they are turned back on.
In any case, this list of computers never seems to go down and OU Admins are not doing a good job of removing those. Chris can supply a script for those who wish to use it, that will remove such machines, and he can easily modify that so it saves the descriptions that some might otherwise find difficult to recreate should any of those machine require re-joining to UFAD. It seems, however that a number of us are not aware of the reporting site and have not subscribed to the various reports available there. If there are reports that you wanted, but don't find there, all you need do is ask Chris Hughes. This is an extremely useful tool which we should make better use of.
Mark Ross stated that laptop users--including senior administrators--need to be taught to VPN in at least once a month.
To summarize: if automatic removal was implemented, and each of us subscribed to the "Computers with passwords older then 83 days" reports, we would still have 7 days time within which to turn on infrequently used machines so they could change their machine passwords and be removed from the list (not to mention that these should be turned on anyway after each monthly patch period in order to keep them secure). This would prevent those from being deleted from UFAD. Laptops that had been turned on frequently but kept off our networks for a few month period would have expired accounts anyway and might as well be removed from UFAD. If a machine has been attached to our network, turned on, and still remains on this list--there is a problem.
Also, for machines that remain plugged into our network, but are kept off generally because they are used only once or twice a year, we could set those passwords to never expire; this is something that DeepFreeze does.
Other Discussion
Authoritative list of tech support folks in IFAS
This is something Dan and Steve both desire greatly. With regard to IF-ADMx accounts, who are all folks that should be included in the ICC ranks, Steve has suggested that the matter be a topic of discussion at an upcoming staff meeting--to consider:
- which of the IFAS-Central-IT Server Admins group members should add and remove such accounts,
- based on what criteria, and
- who should be informed of those changes as they occur.
Steve is particularly concerned that changes involve notification and would appreciate being in that loop.
Regarding the broader issue of ICC membership, Steve is unclear as to where we are with our proposed official IT technical contact list. He has the feeling that there are contacts--for departments without a true IT support person--of whom he is unaware. Steve wonders if we shouldn't have a policy where the unit DSAs are the fallback contact in this regard--in those cases where a director or chair has not specified such a person?
Steve would also like to note that the ICC-L membership list is an increasingly poor indicator of our membership. That is why he keeps a separate distribution group ". IFAS-ICC" that includes a subset of the ICC-L. It is also why he sends out meeting notices in the current dual fashion. Steve would like to build and maintain a hierarchy of groups (formally, within the AD structure) having various relationships to the ICC that could better control notification and rights assignment:
- Unit IT Technical contacts
- IF-ADMx account holders (i.e., server admins)
- OU Admins
- Other interested parties
Steve believes that item 2 is the only one that is currently represented by an actual security group in UFAD. The ICC membership includes categories 1-3 and the 4th rounds out the ICC-L to all persons interested in our dealings. Steve also assumes that some person or persons within IT/SA will need to maintain the memberships of groups 1-3 as they are the only ones who have the access rights to do that. Since those groups comprise our membership, Steve's role would seem to be only one of notification: welcoming new folks, bidding farewell to those leaving, and informing the entire group of the various comings and goings--something which he already does. We just need to work more on the comings and goings. The ICC chair and other managers of the ICC-L can handle group 4.
Steve thinks we should create the necessary groups in UFAD and develop the proper hierarchy and overlap among the groups. An individual ICC member might be a member of just group 1, of both groups 1&2, or of all three groups. This would suggest that group 1 should be composed of group 2 plus individual accounts for those who have only that technical contact role. Group 2 would consist of group 3 plus those individual server admins who are not OU admins. This would make group 1 the official ICC membership list and what is now ". IFAS-ICC" could contain that group plus individuals in category 4 above. Such a structure would allow an individual to be populated once in a single appropriate group and the resultant relationships would cascade down as appropriate.
The meeting was adjourned on-time, right at noon.
|