Candace Soderston & Matt Sargent

Collab team meetingDecember 12, 2011

-- RICE UX & BA REPORT--INPUT FROM INSIDE & OUTSIDE

THE KUALI COMMUNITY

STAFF FROM 16 UNIVERSITIES RESPONDED TO A USER EXPERIENCE SURVEY BEFORE KUALI DAYS 2011Workflow Survey (7 universities) IdM Survey (12 universities)

Iowa State University Michigan State University University of California, BerkeleyUniversity of Hawaii * University of Connecticut * University of Maryland * University of Washington

Lehigh University MITOhio Northern University University of Southern California* University of Connecticut * University of Maryland * University of Washington

+Carleton College +Duke University +Rensselaer Polytechnic Institute +University of Iowa+University of Saskatchewan

Note: * Same person from Uconn, 2 different people from UMD & UW . 18 respondents total. + = 5 universities outside the Kuali community

TYPES OF IMPROVEMENTS WANTED?

25%50% 38%

25%

33%

17%

% of people rating "Extremely Important to Improve"

Workflow IDM

Import / sync Identity data (3.86., 4.0 )

Create / update / delete users’ identities (4.43, 4.38)

Create / update groups, roles, lists (4.57, 1.38)

Create an alternate or delegate (4.29, 3.75)

Find information or function (3.86, 5.13 )

Define, update, delete routing rule (3.71, 4.63 )

Add approver to list for a doc (3.57, 2.13)

Install workflow tools or customize set up (3.63, 5.13 )

Define, update, delete a document type (3.57, 2.25 )

(Average frequency x= 3.67)

Higher Frequency(7=dailly)

Lower Frequency(1=never)

Define, update, delete a business rule (3.57, 5.13 )

Define, update, delete a node, graph, or workflow (3.57, 3.88 )

Restart approval processing (3.43, 2.13 )

Edit/check code syntax (3.86, 2.88 )

Delegate some control to user self-service (2.71, 3.38 )

Set up rules for a department or team, different from others (2.43, 4.88 )

Higher Importance to improve

(10=top ranked)

Lower Importance to improve

(0=not in top 10)

(Average Importance= y=3.67)

Strategic Opportunity QuadrantDifferentiation Opportunity Quadrant

Keep PaceLower attention or upcoming paradigm shift?

Workflow Creation and Management Survey - Results

Workflow - Most important requirement?• Ease of use (6):

• Ease of use

• Ease of use

• Ease of use and not overly complex to end users

• End user self-service to design, test and deploy end-to-end solution

• Flexible and easy to use

• Flexibility and inherited relationships

• Rapid development systems.

• We need to map workflow responsibilities to roles that are constrained by organization code and level within organization code and then have the workflow engine understand how to route based upon rules that can be organization specific. Short way of saying we want awesome KEW integration with KRMS and KOM (and KIM of course) --- with ability to override any/all services specific.

WHAT DO YOU LIKE LEAST ABOUT THE TOOLS YOU USE TODAY TO CREATE AND MANAGE WORKFLOWS?

• I'm the one who has to do the extending

• Too many different tools that don't integrate well with each other

• Lack of visual tools for designing and displaying workflows

• Lack of documentation, limited community expertise

• It doesn't have an integration with a text editor or IDE. It provides two HTML boxes to code in JavaScript. I have worked around it by doing a copy paste, and working with a text editor

• I don't like managing xml using an xml editor, which in my eclipse is like a glorified text editor. But I guess there's no GUI to create or manage workflows available so I'm stuck doing it this way

Missing tasks?

• User support - assist users in how to accomplish tasks, answer workflow questions.

• Workflow troubleshooting (4):

• Workflow troubleshooting - stalled routes, missing approvers, etc.

• Statistics and reporting - provide numbers for different types of workflow tasks, volumes, etc.

• Check on status of submitted user identity info

• Search for documents - I do this frequently as I check on the routing status of items.

• (Explanation of choices) anything to do with identities, roles and permissions (including delegation) is handled outside of the workflow systems. (Better interoperability)

Additional things you’d like to do but can’t today?

• Design a workflow either visually (preferred) and/or in combination with a wizard tool that guides an end user/BA thru the workflow definition process (nodes, roles, rules, etc.) and then automagically creates the necessary inputs to the workflow runtime engine.

• Centralized authorizations, additional attributes and roles besides primary

• More nuanced classification of delegates - in some cases would like to be able to have both the delegate and the person in the role get emails and see items in their action lists. In other cases would like the primary to get them and then the delegate to get notification after X time has passed.

OPTIONAL) WHAT QUESTIONS ABOUT YOUR WORKFLOW CREATIONAND MANAGEMENT EXPERIENCE AND REQUIREMENTS DID WE NOTASK, THAT YOU WISH WE DID?

(AND WHAT WOULD BE YOUR ANSWER TO THESE!)

• Q: What technical skill level should be required to build/manage workflow?

• A: Non technical for basic workflow and highly technical only for complex workflow solutions

Facets of Identity Management

Within Kuali community:• open standards • good documentation and getting started guides • The ability to customize it to meet the needs of our business practices and work flows• Clean service interfaces • Identity merge/match functionality is the most important capability• Federation Outside Kuali community:• Ease of access from other systems using standard protocols• Ease of getting setup and going. Match to our existing functionality • Improved functionality over existing system - migration must be a step forward - moving

backwards or even sidewise in function is a lose• Ability to de/provision flexibly and reliably in heterogeneous systems based on rich business rules

defined in the solution• Workflow that is easy to maintain, in which complex logic can be embedded, and where the steps

can invoke either interactions with people or with agents

IdM - Most important requirement?

WHAT DO YOU LIKE MOST ABOUT YOUR TOOLS?Within the Kuali community:• Open source

• Flexible. Efficient. Supportable by a small team. Based on open standards.

• CAS, kerberos and ldap are industry standards and work well with our open source applications.

• supports consortial operations; Shibboleth is a standard with wide support

• We use university NETID's everywhere, its great to have a common username across all university services

• Centralizing process of assigning roles and determining resources based on this assignment.

• The matching logic integrated into the university’s ID assignment process The structure and simplicity of the Roles Service

Outside the Kuali community:• They meet our specific needs. We can make changes as needed

• The flexibility of our tools is fairly good, we have a lot of different things to use for different tasks at our disposal.

• Good fit for our needs

• We are able to express the fairly complex logic that goes into managing identities, roles and access permissions.

• Ability to get canonical identity information from official University sources; ease of configuration of Spring-LDAP module

WHAT DO YOU LIKE LEAST ABOUT YOUR TOOLS?Within Kuali community:

• homegrown solutions are limited and outdated and need to be replaced

• LDAP is not equal to IdM

• Not well documented and therefore reliant on a few experts

• complex environment which is difficult to debug

• Changing the web interface is not easy. We have a lot of real estate used for built-in fields we don't use

• There is no centralized storage for users and no way to share files in a native drive-letter mapped way that leverages NETID and university groups membership

• Batch (nightly) feeds for most data integration (except university ID and Roles which are real time services).

• Too many ways to authenticate... (1) X509 personal certificates, (2) Kerberos user name & Password, (3) Touchstone's internal account creation. Difficult for non-core (i.e. departmental) applications to plug into these services so they often don't bother to.

WHAT DO YOU LIKE LEAST ABOUT YOUR TOOLS? (CONT)

Outside Kuali Community:

• Some of it is written in dated technologies. We do not have enough resources to catch up on some needed changes

• Some older tools need revision, some tasks areas poorly supported.

• Sometimes there are multiple sources of information for the same identity; interface I have to Grouper is difficult to use

• Implementation of business rules in multiple systems is a huge problem.

• Would like to have the bulk of the rules implemented in just one place. The (lack of) interconnectedness of our tools causes difficulty in making any kind of change.

• We don't have a great way to enforce access management broadly other than with Active Directory groups, thus we have a problem with token size due to the huge number of groups in AD. Some kind of policy/enforcement management engine (XACML?) would probably help.

Do These Results Represent You? (cont)

Export/Import/Synchronize identity data with other repositories or application

Provision users

Add or update a person, group or role and the permissions profile

Set up access for a particular department or team (different from others)

Edit / check code syntax

Identify and resolve duplication of registry records

Install and customize tools and templates that help with identity and access management

Manage web access

Set up tools that administer the automatic granting or revoking of privileges

(AVERAGE SCORE = 4.02)

Manage federated identities

Manage a self-service function, enabling self-updating of person information

Explore - find information or functions offered by the software

Create a single registry for persons and non-persons

Track, audit and report adherence to local and national privacy and compliance regulations

Manage smart tokens, public key operations, and/or bio-metric authentication methods

6.42

5.83

5.42

5.00

5.00

4.67

4.33

4.33

4.08

3.42

3.08

3.08

2.92

1.67

1.08

Current Tasks - Frequency

WHAT OTHER TASKS ARE YOU NOT ABLE TO DO TODAY THROUGH THE IDM TOOLS THAT YOU WISH YOU COULD?Within Kuali community:• Automated user account provisioning• We currently have limited password maintenance and security question functionality with the

off the shelf product. We have created our own system for handling this to be in compliance with our security policies.

• Two things:• Delegate authorizations (our tools don't do that) • Impersonate people for testing and debugging

• Three things:• - generate reports from lists of university NETID’s• - centralized storage for individuals and groups, based on university NETID and the

university group service• - Allow the Support Org members to manage the storage of a person in the NETID domain

that is under their umbrellaOutside Kuali community:

• Automating the creation and management of non-person objects. (And … More of a feature than a task) Better detection of, and recovery from, the temporary inability to contact a remote resource.

(OPTIONAL) WHAT QUESTIONS ABOUT YOUR IDM CREATION AND MANAGEMENT EXPERIENCE AND REQUIREMENTS DID WE NOT ASK, THAT YOU WISH WE DID? (AND WHAT WOULD BE YOUR ANSWER TO THESE!)

Outside Kuali community:

• Federation and other related: We are running a locally developed, mature IdM system. Being able to take feeds from, and provide feeds to other systems is very important. Ability to manage roles, and delegate control based on roles is key to our success.

• Life cycle management of "guests" is very important, as well as being able to accommodate deficiencies in enterprise systems (ie - our HR/Payroll system does not have an accurate "end date" for employees - we have an employee "overlay" on the data feed from banner to correct this).

Q & A?