Syracuse University: Provisioning Delivers Secure Self Service

By Gary McGinnis

Syracuse University aims to be "the leading student-centered research university" that d'es everything possible to improve the day-to-day lives of its 15,000 students.

That means, among other things, eliminating the usual wait to activate a computing account or the need to call the help desk when forgetting the password to an e-mail account. Through an online self-service interface that went live in August 2002, Syracuse students can securely activate their computing accounts and perform other account management functions themselves.

In addition to its primary goal of improving the student experience, Syracuse saves costs by eliminating the need to staff a temporary office to help students activate their computing accounts.

Network Access
The challenges faced by Syracuse are familiar to any college or university that needs to reduce clerical costs, improve customer service, tighten security, and do a better job of auditing its access control processes. Educational institutions are currently faced with the challenge of managing complex networks in which a person's access rights to digital resources must be approved, canceled, or adjusted numerous times in a single year.

Secure network access is crucial for universities and Syracuse is the perfect example of why provisioning technologies are a "must-have" technology for the higher education market.

Provisioning is a secure and cost-effective tool for centralizing university computing accounts and eliminates the need to hire an enormous part-time staff to administer and manage the digital resources and multiple accounts for our ever-changing network of students, faculty, and staff.

Reclaiming Resources
The lack of a central solution for providing account management and other IT services can drive up administrative costs, especially as schools hire expensive temporary help to cope with registration crunches, or staff costly help desks to manage routine problems. Customer service suffers as students stand in long lines or must wait for regular business hours to contact a staff member to solve their problem. It is almost impossible to enforce security policies, or to make sure students are "de-provisioned" at the end of their academic careers, when access is granted or denied by multiple administrators in multiple departments.

Furthermore, it's critical, now more than ever, that a person's resources are reclaimed the moment they leave campus or no longer have a legitimate need for access. In fact, federal regulations like the Student and Exchange Visitor Program (SEVP), Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (IIRIRA), the USA PATRIOT Act, and others are driving universities to maintain accurate records of access to resources. The absence of a central provisioning solution makes it expensive and time consuming to prove compliance with these new regulations.

Self Service
Syracuse's journey to online self-service began in the fall of 2001. That's when the department held a series of public forums asking the students which functions they'd most like to see online. Their requests included the ability to manage the computing accounts that give them access to e-mail, computing labs, online storage and printing, and applications such as high-end statistical packages hosted on shared Unix servers.

Syracuse wanted to improve the students' experience by giving them a global user name and password that would allow them access to any appropriate system they needed, from anywhere at anytime. This required us to create a single source for authentication for our students, in the form of a single database of student information that could be used to provision the local directories already in use by different schools and departments across campus.

To accomplish these goals, we considered creating a homegrown solution, as well as several commercial offerings. After much research and consideration, Business Layers' eProvision Software was the most appropriate choice for Syracuse, as it was the best fit for our environment and the most cost-effective system for our specific needs.

Computing Resources
At Syracuse, we have about 35 organizational units maintaining directories on platforms ranging from Unix to Windows NT to Novell NetWare. The Unix systems use Sun Microsystems Inc.'s Sun ONE as their directory; the Novell systems use Novell Inc.'s eDirectory and Windows NT relies on Microsoft Corp.'s Active Directory. Our Syracuse team turned to eProvision to populate and update an enterprise directory that serves as the authoritative source of user information. eProvision then monitors the enterprise directory for changes and, as necessary, updates the more than 35 distributed directories used by those applications. While the provisioning tool is centralized, decision making is not; it's still up to the owners of the local systems to provide the rules and policies that determine how users are given access to computing resources.

The first local directories linked to eProvision were the Unix-based systems that serve between 32,000 and 34,000 user accounts. These systems provide user-focused services such as e-mail and on-line storage, as well as management of students' computing accounts. The next stage will involve the Novell systems, with about 15,000 users and then the Windows NT systems with 3,000 to 5,000 users. The number of user accounts is greater than our 15,000 full-time students because part-time students, outside researchers, faculty, and staff also have accounts, further complicated by individuals having multiple accounts on different systems.

Given the numerous and disparate data sources involved in this process, our team experienced some challenges in supplying the cleanest and most synched information to the overall provisioning system. We wanted to ensure that we would have a 360-degree view of the most accurate information for consistent provisioning throughout our distributed systems. This need was successfully addressed with a series of systematic data mergers and some manual coding.

While the primary focus is on the students, the school is also rolling out capabilities to faculty and staff. We don't expect scalability to be an issue. While the number of current and former user names in the enterprise directory could eventually grow to the millions at any one time, we'll only have 12,000 to 15,000 students actively maintaining their accounts through eProvision.

Communicating Benefits
The final challenge was getting the word out about the online services. People are accustomed to getting their password changed by someone else, rather than being able to do it themselves online. Our group used targeted e-mails, as well as publicity in the student paper to get the word out. You need to have a good public relations and communications plan in place to drive use (and the maximum benefits) of the self-service site.

Most students might not know what "provisioning" is, and that's fine with us. What matters to the students is, "How do I securely manage my account?" At Syracuse University, our students can manage their own accounts when and where they want to—just as it should be in a "student-centered" university.

For more information contact Gary McGinnis, Director of Client Services, Syracuse University Computing and Media Services Department, at [email protected].

Featured