AdCom / NACS Sharing Sessionand

UC Information Technology Architecture Group (ITAG)

Update and Feedback

Marina Arseniev Director of Enterprise Architecture, Security, and Data

Management ServicesAdministrative Computing Services

April 22, 2009

Agenda• Introductions• UC Information Technology Architecture Group

(ITAG)– Update on current projects and progress– Kuali RICE Assessment

• AdCom’s Architecture Initiative– Application / Technology Architecture– SDLC

• NACS Project Challenges and ITAG Feedback• Discussion of NACS and AdCom’s “common”

problems and requirements

Enterprise IT Architecture?• OpenGroup’s Architecture site and Zachman Framework• Zachman’s Key statements:

– “Enterprise architecture has everything to do with managing enterprise complexity and enterprise change.... “

– [Enterprise Architecture] .. ”technically is an ontology. “– “The descriptive representations that make up the knowledge

base of the enterprise constitute […] the “raw material” for engineering the enterprise for flexibility, integration, reusability, interoperability, alignment, mass customization ....”

– “Enterprise Architecture is not arbitrary…and not negotiable.”– “Enterprise architecture and system implementation are two

different things. “

What is ITAG?• “The Information Technology Architecture Group (ITAG) is an operational

group working under the aegis of the Information Technology Leadership Council (ITLC). “

• “Its mission is to create and maintain, on an ongoing basis, a repository of architectural principles, standards, practices, common frameworks and preferred technologies for use throughout the UC system. These are to be chosen with the primary goals of enabling integration, interoperability, and sharing across the system.”

• “The work of the ITAG will enhance sharing of applications and systems among UC campuses, […] support the eventual creation of a UC source code repository and facilitate coordination with national standards bodies. “

• Some ITAG members are also members of IT Architects in Academia (ITANA), an independent constituent group of Educause

ITAG effort currently in progress

• Interoperability Guidelines and Standards for University of California

• Summary of Campus Middleware Survey

• Kuali RICE Assessment– Each RICE component was evaluated separately– RICE is middleware and an Application Development

Framework– Evaluation Framework

– What is RICE? ( http://rice.kuali.org/ )

What is Kuali?

Kuali Identity Management (KIM)• Generating a unique “person” key and maintaining unique

person “identity” is one of a few services Identity Management Systems provide

• Like KIM, IdM systems store user, role, group, and attribute information related to a person

• Which role? Business role? Application Function?• In addition to storing who is in a “Low Value Purchaser”

Role, KIM can also store an “Attribute” indicating this role can only approve purchases for a specific amount, such as < $500

• Does not store “entitlements” or “privileges” per se.• In RICE 1.0, KIM is really only a data store for IdM data that

is managed externally, in a more robust IdM system• How will Kuali KIM integrate with NACS IdM?

Kuali Service Bus (KSB)

How could UC Irvine use an ESB?“Events” generate real-time business transactions and workflow, replacing

FTP

NACS Enterprise

LDAP

UCI Enterprise Service Bus

UCINetID /CampusID Request

to NACS

ParkingEmployee Payroll

Deduction

Payroll Application“Add Employee”

HR - New Employee

Event from GreenTree Hire

ID CardSAMS

User Authorization / Provisioning

UCOP Enterprise Service Bus

UCNetID Requestto UCOP

Learning Management System – Course

Registrations

ARC EmployeePayroll Deduction

Connexxus Travel Portal SAAS User

Provisioning AdCom’sLDAP

How could UC Irvine use an ESB?“Events” generate real-time business transactions and workflow, replacing

FTP

NACS Enterprise

LDAP

UCI Enterprise Service Bus

UCINetID /CampusID Request

to NACSParking

Purchase

UCOP UC-wide IdM

New StudentEvent

IDCard

Housing

UCOP Enterprise Service Bus

UCNetID Requestto UCOP

Learning Management System – Lab Safety Course

Registration

Student BillingSystem Registrar (XNET

Replacement)

Cafeteria

How could UC Irvine use an ESB? “Events” trigger emergency processes

and generate RSS feeds for continuous Web Updates

UCI Enterprise Service Bus

NACS WebUpdate Student Portal

Web Update

UCOP WebUpdate

Emergency Notice

UCOP Enterprise Service Bus

SNAP Web Update

Communications/ UCI Web Site

Update

Police WebUpdate

EvacuationProcess

First ResponderProcess

Kuali Nervous System (KNS)• Data Dictionary - data name, description, type, GUI representation (radio,

checkbox, drop down…)• Business Objects - represent entities in the system, Java Pojos• Inquiries - allow for drill down detail functionality and relationships• Lookups - allow for finding the Business Object Record that you want to

maintain or reference• Maintenance Documents - allow for maintenance of Business Objects

(Entities) through user transactions – Create/Read/Update/Delete (CRUD)• Transactional Documents - for business process based transactions• Reusable Custom Tag Library - makes building UI’s for Transactional

Documents easier• Business Validations Framework - allows for a plug point for writing

business validation code

Workflow GUI – Action List

Workflow GUI – Document Status

RICE has promise, however…

• Deadlines have slipped• RICE 1.0 will be the first downward compatible release

– due out June, 2009

• Stand-alone RICE needs load testing• Kuali is an ERP, is new, is complex. • Unknown, unproven, limited integration• Very ambitious future planned• Resources must be submitted from Higher Ed like us in

the form of $ and programmers• ITAG is working with ITLC on letter to Kuali Foundation

regarding assessment results

AdCom’s Architecture Initiative

• Applications

• Software Development Life Cycle (SDLC)

• Technology Architecture and Middleware

What does Administrative Computing Services do?

Financial System IBM Mainframe

CICS/Cobol

Data CenterDesktop Support

And Helpdesk

SNAP Administrative Portal

uPortal Web/Java

TED Learning Management

Microsoft IIS/.ASPVendor

Facilities Management Work Order / BillingTririga ERP Vendor

JBoss/Java

PayQuest Reimbursement

SolarisWeb/Java

Payroll at UCOP IBM Mainframe

CICS/Cobol

Purchasing andAccounts Payable

IBM MainframeCICS/Cobol

Human ResourcesSelf-Service

Solaris Web/Java

Student BillingPowerbuilder

GreenTree Hiring Manager/

Applicant Tracking System Microsoft IIS/.ASP

Vendor

Permanent BudgetPowerbuilder

FacilitiesSelf-Services

SolarisWeb/Java

And much more…

Central Credit Card Payment - Solaris

Web/Java

Student FinancialServices Systems

Web/Java

What do our Applications Require?

Disaster RecoverabilityHigh Availability

Goal: 24 x 7

Ease of Use / Common User Interface

And more…

Application

24 x 7 Support Minimal maintenance,

heavy cross training and Helpdesk

Auditability /Correctness

Secured Access ControlPenetration TestingQuality Assurance

Architectural IntegrityReuse of tested components

Reuse of staff skill sets

Compliance and Governance -

Section 508, SAS 112, Tax Relief Act,HIPAA, PCI DSS, SB1386, FERPA,

FTC Red Flag

What are our controls?• Incorporation of effective and best practices • Currently using Payment Card Industry Data Security

Standard (PCI DSS) as the standard for security controls even for non-Credit Card taking applications.

• An Enterprise Architecture and Software Development Life Cycle (SDLC)– Project, Task, and Time Tracking using JIRA / Confluence– Architecture, design, security, database and code review protocols

and approvals– Formal quality assurance, security scans (AppScan), code scans

(JTest and FindBugs), and load testing (using JMeter) are required for production turnover approval

– Production turnover checklists and approval workflows in JIRA

What are our controls? (cont.)• Formal Change Management process…

– Weekly mandatory meeting for all staff – often only 15 minutes– Minimize collisions of changes to network, hardware, OS, firewall,

middleware, Web Server, or application that can result in downtime or security problems

– Use Oracle Calendar to schedule work and planned downtime– Require test plans and checklist at least 2 weeks prior to change– Production code turnover is performed by production control staff, in

compliance with “separation of duty” required by auditors and SAS 112 Compliance.

• Communication Plans– Monthly Status Reports that go to stakeholders with escalation

notices as necessary– Service Level Agreements– Roles and Responsibilities Documents

Value of AdCom’s Enterprise Architecture Initiative?

• We all do it to varying degrees already • Answers “what” needs to be done, “how” and in what

“sequence” to be most efficient, cost effective, and align best with business goals and strategy.

• It sets the “boundaries” and ground rules for how decisions are made using “Guiding Principles”

• Usually involves multiple layers that reduce costs and align technology with business stakeholder missions

• Based on best practices and is a best practice

AdCom’s Stack

Examples we use

• University of Washington

• M.I.T.

• University of Texas

• Alaska

AdCom’s StandardApplication Architecture

• A consistent and reusable application development “blue print”

• Common and tested components

• Defines how an application will be built - what components and APIs

• Exceptions to architecture reviewed and by approval

• Vendor applications often exempt

Application

Sybase SQLServer,

mySQLANSI SQL

SAMS

WebAuth / Shibboleth

LDAP

Apache/Tomcat / Java 1.6

Java FrameworkExpresso/RICE*

JSP / HTML / JavaScript

Drala WorkFlow

Jasper Reports

Apache CXFSOA

Spring/Hibernate AdCom GUI

Template

Architecture Governance• Usually done by consensus of senior technical staff in

AdCom services in periodic meetings

• Exceptions reviewed by team for approval– Example 1: request to use AJAX in Human Resources application.

– Example 2: request to bring in a vendor Microsoft IIS/.ASP application

– Example 3: request for a reporting solution resulted in an evaluation and department-wide adoption of Java Jasper Reports.

– Example 4: request for a standard solution for web form pagination of database data resulted in adoption of DisplayTag component (server-side and javascript technology)

• Quarterly meetings to review “Technical Reference Architecture” and approve new technologies and “sunset” or decommission older technologies

Middleware• As NACS and AdCom know, common middleware

infrastructure and common applications should be operated centrally – Departments/programs/activities should not have to build their own

core middleware

• What are examples of middleware AdCom uses?– SAMS AuthZ – WebAuth, 2-factor RSA Authentication, Shibboleth– HTTP, SOAP, WSDL, XML, SOA Services CXF– Messaging – Java Messaging, Microsoft Transaction Services– JDBC, LDAP– Common logging (log4j)

• Common applications? – Password or “secret” storage (SecretServer), Wiki, JIRA Project and

Issue Tracking, Workflow, Calendar, Content Management System, Learning Management System, Portal

Plans and next steps?• AdCom is planning to run Kuali Coeus (2010) and Kuali

Financial System (~2012) on a stand-alone instance of RICE.• AdCom may invest in home-grown RICE applications• AdCom would like to work with NACS on leveraging the UC

Information Technology Architecture Group (ITAG) to help our campus middleware plans and implementation– Is NACS interested in any RICE components covered today?

• AdCom is facilitating a work group to evaluate “Enterprise Authorization” solutions– What is the intersection of Kuali Identity Management (KIM), which is

also a repository for Users, Groups, Roles, and Role Attributes, and NACS’ LDAP and IdM plans?

– What do we do with AdCom’s SAMS?– Do we need to fold in our requirements for ITAG consideration?

What are NACS Issues?

• What are NACS project challenges?• Any feedback or ideas that I can share with

ITAG?

What are our “Common” Problems and Requirements?

• When developing applications, what do you spend most of your time on? GUI? Interfaces? Requirements? Design? Coding?

• What do you find yourself doing over and over again?

• Where do you see the largest number of bugs or problems?

• How do you QA your apps? Is an SDLC used? When is your app “good enough”?

• Do you use an application development framework?

• What are your favorite programmer tools?

• What best practices do you employ for application security?

• What are your controls? Who decides what technology to use?

• How do different project teams communicate? Share knowledge? Cross-train?

• How does your organization eliminate redundancy and consolidate or reuse tools?

• How does your organization separate roles and responsibilities and consolidate functions of staff? How do you eliminate “silos”?

• How do you deal with project prioritization? Changes in application scope?

This presentation: https://webfiles.uci.edu/marsenie/ITAGFeedback_NACSAdCom.ppt