Dave McNamee: Directory Services

New Portal Efforts

Fri, 15 Aug 2003 15:19:01 GMT

I am assisting key stakeholders from different State agencies in building a new State Enterprise Employee Portal project. The project team has not yet been formed, but we have a pretty good idea of who needs to be involved. Obviously DHRM and Finance have a major stake in this project, so their involvement will be extensive. No employee portal would be complete without the services that those organizations provide. I am very excited about this new effort, because, unlike previous efforts, it is being driven by business owners rather than by technologists. Also, it has the support of the CIO and will become a fully sanctioned enterprise project if we do things right.

Meantime, other "portal" projects are in search of direction. Public Safety has a couple of efforts that could benefit greatly from solid enterprise strategy for portals. This strategy does not exist yet. I hope to help pull people to solve this portal meta issue. It is possible that we could create economies of scale with portal efforts, and at the same time work towards integrated presentation of services provided by State government.

Advance the Front

Tue, 05 Aug 2003 14:02:20 GMT

ITS is making serious progress on multiple fronts. Fortunately I have the opportunity to be involved in many of them.

I am very excited about UMD and the new web authentication system. UMD is being used in production mode for the Groupwise Instant Messenger system. Synchronization is taking place between the individual e.Directory resource trees (basically the trees that are used to grant LAN access) and UMD and HRE, the HR database. For example, when I changed my password on Groupwise IM it also changed my LAN password. This may sound simple, but it will provide a lot of value to the state as multiple applications and IT platforms use UMD for authentication. Just the costs of password administration alone would make a strong business case for doing UMD, not to mention the provisioning and de-provisioning capabilities and increased security that it offers. I am convinced that many great things lie ahead for UMD.

Aside from individual projects and products, I am encouraged by the fact that project and product management are gaining momentum. This is a new way of doing business for ITS. Although we've had our struggles, the amount of collaboration and hard work that is taking place is a credit to the people of ITS. I believe it is ultimately the citizens of Utah that benefit from these improvements.

SPML: Open Standards User Provisioning

Fri, 18 Jul 2003 17:51:28 GMT

Service Provisioning Markup Language (SPML) is getting good press for its ability to automate user provisioning accross multiple systems. I would really like to see the State implement SAML, SPML, and other emerging standards for security and identity in the future, after they mature a bit.

Organized RSS

Thu, 17 Jul 2003 13:04:59 GMT

RSS is a powerful content aggregation tool. It is useful in more applications than just blogging. At ITS, we have developed an RSS tool that will make it available to state agencies for creating things like press releases, articles on www.utah.gov and on business.utah.gov, the new doing business in Utah portal and soon to be the home of One-Stop Business Registration. This RSS tool is called news.utah.gov.

News.utah.gov is not intended to be a blogging tool for personal weblogs, however it works in much the same way as a personal weblog. It is based on the Movable Type blogging platform, but again, it is not intended to be a blogging tool. The types of news feeds that are out there now are things like "Utah Business News," which is being consumed right now on busines.utah.gov. Control over the feeds that are created will be very strict.

News.utah.gov is also an example of a project that used existing code bases to develop an effective application that can run in an inexpensive environment. The environment this is running in is a LAMP (Linux Apache MySQL PHP) environment. ITS should be adding LAMP to its hosting product portfolio this year. I am the hosting product manager, so I will be working towards that end.

IBM Web Services Demo

Mon, 16 Jun 2003 16:40:41 GMT

I am attending an IBM "e-business on demand" pitch right now. I have to admit, so far, the presentation has been interesting. They have an impressive array of platforms running on multiple laptops, including a Linux laptop.

This is basically a websphere app server/websphere developer studio/rational rose demo. Of course, they are starting the day with a demo of web services. I am sad to admit, this is the first real demo of a running web service, a real web service, that I have seen. They just showed us a web services demo where a .Net app called a websphere-based web service. They have two projectors up, one showing the client app and the other showing the server console so we can see the actual calls. Cool.

Being a Java vendor, they are taking a lot of time to demonstrate the differences between .Net and Java. They are preaching to the choir. I used to develop Java apps before making the fabled switch off the "technical" track and onto the "management" track. As far as I know, no state agency is using .Net.

These demos bring several questions to my mind:

How soon will agencies want to create web services?
What should our enterprise strategy for Websphere be?
What about Linux on the mainframe?
How can ITS get ahead of the agencies and lead in the development of web services?
What infrastructure should we build to handle future demand?
How can we do all of this and provide the best value for taxpayers?

I'm goning to have to chew on this quickly. Customers are waiting.

Enterprise IM

Mon, 16 Jun 2003 15:54:56 GMT

I am very excited about the opportunities that ITS has right now. We are doing a lot of very interesting things. One project that I have written about in the past is the Utah Master Directory (UMD). UMD will serve as an important piece of infrastructure for many future state IT projects. It moves forward on schedule.

We already have one production application using UMD, and that is Groupwise Instant Messaging. Any state employee can install the Groupwise IM client and chat securely with any other state employee. This is what is known as enterprise instant messaging, which is still a pretty hot topic among large enterprises. UMD makes it possible.

Additionally, we are engaging Novell to make improvements to UMD and the DirXML connectors to make the employee provisioning process better. It is an evolutionary process, but I believe that UMD will change the way state agencies think about things like employee provisioning. The potential benefit that UMD provides for internal applications is surpassed only by the potential benefit for public-facing applications.

Enterprise Infrastructure and HIPPA

Wed, 21 May 2003 13:48:12 GMT

Yesterday I attended a training on the HIPPA Security Rule. For those unfamiliar with HIPPA I think it stands for Health Information Privacy and Portability Act. HIPPA has rules on privacy, security, and transactions, and it has implications for a number of state agencies, including ITS.

Two issues stuck with me from the training. The first was a realization made by one of the participants of the training that it would make sense for agencies to collectively solve HIPPA-related issues, and let all benefit from the work. I think agencies will be realizing more and more that, for a lot of IT challenges that they face, it is a good idea to solve those issues as an enterprise rather than each agency on their own. With shrinking budgets and increased business and regulatory demands on our IT resources, it makes sense to solve things once for everybody.

That brings me to the second thing that stuck with me, and that was the fact that UMD-based authentication could really solve a lot of HIPPA issues. One of the security rules stipulates that agencies need to be able to assert that access to protected information is indeed limited to those that should have it. This includes being able to revoke access efficiently when necessary. UMD-based authentication could really benefit agencies that have to meet these HIPPA requirements. One example would be an employee termination. If every application that said employee had access to was protected by UMD-based authentication (web or non-web, it doesn't matter) then as soon as the HR tech enters the termination event in the HR Enterprise database, access to those applications would be immediately revoked. The application administrator would not have to do a thing.

A gartner study revealed that the average employee has access to 15 to 17 applications during employment. The same study reveals that employees usually still have access to about 10 of those applications after termination. If we can tie authentication to UMD, we could solve this problem for the state enterprise.

He's Like Michael Jordan

Tue, 08 Apr 2003 14:32:47 GMT

My fans are wondering when I was going to come out of blogging retirement. Well, friends, your long wait is over. I know it's been a long time since my last entry on March 28, and a lot has happened since then. Unfortunately, this emergence from retirement is much like Jordan's return to basketball through the Washington Wizards-it probably won't be as good as the Chicago days.

I am currently busy with several efforts. Probably the most significant one is the UMD/Web Authentication project. I have been working on product documentation, and on reviewing the developer's work. We are really making pretty good progress on things. One of my main concerns is selling the concept of single sign on to business owners. I have a very grand vision for what eGovernement services could become. There is so much potential to improve the experience that citizens have when they obtain services from the State. A lot of people have done a lot of really great work towards developing systems that deliver services to citizens. We could take it a lot further, though, and that's what I want to do.

Meanwhile I am also working on developing our reporting products, specifically Actuate web reporting. It is a service that we have been providing for some time without any product definition or cost recovery structure. I am working to change that and make it a world-class product.

Identity Management

Fri, 28 Mar 2003 17:07:48 GMT

Windley recently attended a Digital Identity Summit where leaders spoke about why digital ID is an important thing. I am in the trenches developing a serious base for Digital ID for the state. Phil mentions the Utah Master Directory (UMD) in one of his articles on Phil Becker's presentation. I believe that UMD will provide tremendous value to the citizens and the employees of the State of Utah.

UMD is based on Novell's eDirectory technology. It will have space for all users of State web applications. 2.4 million plus. It will have account management tools that will let users update their own information. Imagine if all State web applications used the directory for primary information on users, such as address. The citizen would have total control over the information the State was using to provide services. As an opt-in directory, citizens could still be e-hermits if they want to, hiding in the hills of paper processes, rather than taking advantage of the civilization beneath them.

There are major challenges to overcome. The biggest one, I think, is the fact that very few people understand the potential of UMD and consolidated web authentication. I am working on a marketing strategy right now to get more people to see the value of it. Also, there are many technical and policy challenges that need to be overcome.

One thing to remember is that we are not trying to build the whole thing in a day. We started with initial development of UMD last year, and now we are working on other components that will bring us closer to our goals. Major component releases, like the new web authentication system, will occur this year. Also, we realize that agencies are free to choose whatever directory structure they want and whatever authentication platform they want. The only way they will use UMD and authentication is if they see the value, and the value equals or exceeds the cost. The product has to serve their interests. It's my job to make that connection.

Good Day

Mon, 10 Mar 2003 12:52:14 GMT

I am ready for another exciting week here at ITS. This week will be filled with UMD/Auth and content management. Last week I met with some key customers to explain our teamsite proof of concept, which is underway right now. I will be publishing a business case document for teamsite next week.

Last Tuesday I attended the IT Manager's breakfast where Novell talked about their ID management, authentication, and web services products. These are all services that I have product responsibility for. Their presentation was very interesting. I have scheduled a meeting with IT directors for this Wednesday where I will be presenting what we are currently doing on these fronts.

I will try to do a better job blogging my activities this week.

Customer Connections

Wed, 26 Feb 2003 21:35:14 GMT

Several of us from ITS met with a slew of eREP folks down in American Fork to discuss UMD and authentication. We have had a lot of contact with them about UMD in the past, but we haven't really made a solid connection until this meeting. I basically described the whole shooting match on the whiteboard and we answered questions. I find that if our customers understand our products, they see how they can use them to accomplish their business objectives. Now, we have been talking to eREP and collaborating with them in the past, but I feel like we are moving into a new phase where they know and understand what we are doing and we know and understand what they are doing, and we work together to meet business objectives.

This is the kind of relationship that I want to build with more of our customers. I put out an email to some IT directors offering to come and describe UMD and authentication to them as well. It's extremely important that we get the word out. In the next little while I will post more information about UMD here on my blog, and elsewhere.

Directory Services and Web Authentication PRD

Tue, 25 Feb 2003 22:08:42 GMT

I finished an initial draft of the PRD for UMD/Auth/Auth/App Profile/Identity Management today. It has been distributed to our engineering folks for review. Tomorrow I will share it with the eREP team.

Busride

Mon, 24 Feb 2003 13:37:31 GMT

Radio Userland software is pretty cool. I am sitting on the bus right now, on my way to work. Once I submit this post, it will go to my localhost and then as soon as I connect to the network in the state office building the article will be automatically uploaded the radio userland community server. Now if I only had Sprint WiFi service...

This is going to be a very busy week. I will be finishing my first rough draft of a PRD for UMD/auth/auth/ID management. I will be sharing this document with key stakeholders including eREP, DHRM, DPS, DWS, DOT, DHS, and DAS. This thing is so huge that the PRD will evolve over the next month, but our experience with DPS last week has proven the value of talking early and often with customers about the product. In the meantime, because there is so much work to be done to get the whole thing put together, development will continue. One major difference, tho, between now and previous development is that now we are working as a team, and everything will go thru a peer review process.

Wednesday we are meeting with the eREP team in American Fork. I have only been in contact with the eREP team for a couple of weeks, and already my understanding of their requirements and timeframes has improved significantly. Their needs are many and complex. Dan Cook at ITS and Dan Rossean (spelling?) at eREP are trying to keep everything straight, getting the right people to talk at the right time. That's a big job.

Also on my plate for this week will be activity on the "web services" strategic plan. This plan will address all of the web-related technologies and products that ITS offers. In the past we have not done a good job at packaging all of these services and combining strategy. Because of this we have not been as competitive as we should have been in the businesses of web hosting and web-related services. We have to improve to survive.

Weekly Wrapup

Fri, 21 Feb 2003 19:01:46 GMT

It's tough to sum up my work activities in a few paragraphs. But I will try. Some information is better than no information (unless it is taken out of context or misinterpreted. I guess my statement has a lot of exceptions. Oh, well, it's Friday, what do you want from me?).

I must say first of all that I am encouraged by the events of this week. I have been able to accomplish a significant amount of work. Most of my focus has been on Authentication/Authorization/UMD/Identity Management, which is where it belongs. I received a significant amount of information from the engineering team about the requirements for the whole system, and I am in the middle of combining their comments into the PRD that will be released on Wednesday.

Also, I went with Curtis Parker and Doug Law, two of our top experts on UMD and authentication, to DPS to talk to them about how they may want to use the system. It was a very productive and enlightening meeting. We discussed issues that we have not yet addressed, and helped them understand our intentions for the system. At the end of our meeting our new CIO, Val Oveson, stopped in to chat with the group about his ideas. I think Val is the right man for the job right now. He and Windley are both extremely talented guys, but Val is a natural fit into this environment. Anyway, we will be doing more of these "roadshow" things in the near future.

My content management product is languishing somewhat. We have to prove that Teamsite 5.5.2 will work, and that TCO isn't too high for it to be successful. This can only done with and upgrade and a proof-of-concept, which I am depending on Engineering to do for me. In the meantime, my boss has purchased copies of Macromedia Contribute for us to begin creating more product-related content for the ITS sites. No formal workflow or staging, but those are problems that are easy to overcome. Plus, the state gets a break on the already-cheap licensing fee. I'm not saying there isn't a potential for products like Teamsite to be successful, but I am saying that it is silly to limit choices to the agencies.

Digital Identity

Tue, 18 Feb 2003 19:26:06 GMT

Windley has been writing occasionally about digital identity. This is an important topic to me because of the fact that the Utah Master Directory (UMD) is one of my products.UMD will be the State's standard location for storing digital identities for both State employees and public citizens. I realize there are a lot of implications to that statement. Some may even cry "big brother." But I believe that the UMD will provide a lot of value to the citizens of this State, so the issues need to be resolved.

One of the problems that I face is the lack of a shared understanding of identity management. What information do we store on citizens? How is it secured? Can the delivery of certain government services be contingent on having an entry in the directory? (YES) What are the privacy policies? How are records added, modified and deleted? Under what circumstances are records deleted? Who qualifies to have a record in the directory? How do we prepare for the future of digital identity management?

This goes beyond just storing a username and password for authentication services. This involves applications and public policy. The PRD I will be releasing on the 26th will begin to answer these and many other questions.

UMD, Authentication, Authorization, App Profile, and Identity Management

Thu, 13 Feb 2003 22:12:56 GMT

I think you can tell by the title to this post that this is no small thing. We're really talking about a major piece of enterprise infrastructure. If we do it right, this will be a huge part of almost every web application offered by the State. It is a huge part of the Governor's initiative to bring government services online.

With that said, we have languished for too long without a proper product requirements document (aka a PRD. Get used to that term because I will be using it extensively) that ties all of these interdependent systems together and describes what they will be and what they do. It's a big task, but there really is no way to separate the requirements for UMD, authentication, authorization, app profile and identity management. I will be releasing the first version of the PRD on the 26th of this month.

What follows is a brief update on each of the components of this system to tide folks over until the PRD is done.

Here is the deal with UMD: the State employee side is working with synchronization between HRE, UMD, and individual resource trees. On the public side, we pretty much have the schema determined. In other words, we know for the most part what data elements we will store for each user. However, we do not have the mechanism built yet that will migrate customer data and create new users (see identity management).

Authentication. SiteMinder 5.5 developement is moving forward. Our engineers are working through some unresolved technical issues and building the login screens.

Authorization. This is probably where most people are confused. Authorization, unlike authentication, can be implemented multiple ways. The thing to remember is that SiteMinder performs authentication and authorization every time a browser requests a protected resource. Period. That's how siteminder works. Now, you can tell siteminder to just check username and password and then do all the rest of your authorization with your application, but siteminder is still doing authorization in this case. Basically, the authorization step that it takes is to check if you are in the directory, and any member of the directory is granted access to the resource. Siteminder can do a lot more than that, and we will be articulating this fact in our PRD, so app developers know what is available and how things work. I believe we will be discovering a "most efficient" way to do authentication and authorization.

App Profile. This is the thing that allows applications to store information in the directory. It also deals with granting access to resources, and controlling the scope of administrators. App profile is where authorization information is stored. We have a very talented engineer working through the challenges associated with this problem. I would guestimate that he has about 90% of it figured out, and I gotta say I am impressed.

Identity management. Our engineers have an idea how this is going to work, but I think this one is the farthest from being figured out. More info to follow.

Refining My Activities

Wed, 05 Feb 2003 14:20:09 GMT

I thought I would give you another update on my products/projects. I am having some success at refining my activities to those that more directly apply to product management rather than project management. I have received a set of objectives from my management, and they specify the activities that I am to be engaged in. A more focused approach to specific product management work is needed in order for me to accomplish my objectives.

We are in the process of capturing requirements for directory services, or UMD, for authentication, and for authorization. A lot of development on UMD has taken place, and DirXML connections to HRE and other resource trees have been created. However, we need to take a step back and capture requirements. Authentication, authorization, and directory services (identity management) have been combined into one project. They are inextricably tied together anyway, so combining the projects just acknowledges that fact. We are moving with a sense of urgency. A lot of products/projects depend on this.

We have also made significant progress in determining what it would take to offer content management services through Teamsite. We are in contact with the vendor discussing an upgrade to version 5.52, which apparently will "solve all of our problems." It is supposed to run swimmingly on Solaris, Front Office should work, and it should eliminate the need for Samba shares by making calls through SOAP. In addition to the vendor, I am also in touch with local content management firms that have implemented Teamsite and can help me with a business case.

New Product Family Assignments

Tue, 14 Jan 2003 20:23:46 GMT

I am excited about the other new product managers that we have. Matt Freestone starts the beginning of February, and it seems like he will hit the ground running. We also have Linda Scheile (I think that's how it's spelled) as an internal transfer, and she will also be a great help. It will be nice to have more arms and legs to work on things.

Today we discussed product family assignements, and my responsibilities remained largely unchanged. There were a couple of changes, tho. I was previously assigned Wireless Services, but no longer. Now I have Application Development, both web and non web, Web Applications, which I call Web Stuff, and a new product family, called Directory Services. My links to the left reflect these new assignments. There is no doubt that I will be very busy.