Email Identity Standard Proposal
February 2014
Committee on Technology & Architecture
Subcommittee on Identity and Access Management
2
Situation
• The @UCSF Exchange service provides email to 30,500 users across the UCSF enterprise
• Many separate email systems have been consolidated into @UCSF, including the Medical Center and School of Medicine
• @UCSF Exchange currently receives email for 140 distinct domains
• Some units adopted ‘@ucsf.edu’ primary addresses when joining, but 73 email domains still have new accounts provisioned with their original domain.
• Rules for assigning a new individual to the appropriate domain are inconsistent, and process is completely manual
3
Consequences of Current Situation
• Delays the manual creation of new accounts
• Barrier to implementing automated processes for account provisioning
• Rollout of new services and integration with cloud service providers are more complicated and often delayed
• Movement of individuals between units results in change of email address. This is increasingly problematic as cloud service adoption at UCSF grows
4
Target• A uniform primary @ucsf.edu address for all
members of the UCSF community
• Continuous delivery of email sent to all historical addresses in perpetuity
Benefits• Simpler experience for UCSF community
• Uniform, recognizable brand to patients, donors, colleagues, and recruits
• Fewer changes - move within organization does not change email address
• Simpler account provisioning logic - faster turnaround and facilitates automation
• Single email namespace more closely matches cloud service integration requirements
5
What is a Primary Address?
• Is the main email address published within our directory service (Active Directory)
• Is the address that is displayed in the global address list (GAL)
• Is the ‘From:’ address on outgoing email
• Is frequently used by cloud service providers as the most obvious identifier for account belonging to UCSF personnel
6
What is a Secondary Address?
• An alternate email address published within our directory service
• An account can have more than one secondary address
• Email is accepted and processed normally for all secondary addresses in addition to the primary
• Every account that doesn’t use @ucsf.edu as the primary has at least one @ucsf.edu address as a secondary
• Over 1200 accounts have multiple @ucsf.edu secondary addresses
7
Proposal• New individuals joining the UCSF community
will receive a [email protected] primary address– Alternate domain addresses will no longer be
provisioned as a secondary for new accounts
• Existing UCSF individuals not using @ucsf.edu as a primary:– Secondary address populated with their current
email address
– Primary address set to [email protected] format
– UCSF Listserv memberships updated with new primary address
– Directory systems (CLS, SIS, etc) updated
– UCSF Box, and other cloud service accounts updated
8
User Impact
• Email sent to prior address or new address will be delivered to a single mailbox – No Impact
• Loss of identity and ‘branding’ associated with domain suffixes on outgoing mail – Impact Variable
• Individuals may want to update business cards and other print collateral – Impact Low to Moderate
• Individuals external to UCSF may notice their address books have populated multiple entries for UCSF correspondents – Impact Low
• Individuals reassigned addresses like [email protected], [email protected], etc. as their primary address due to name collisions may be dissatisfied with the outcome – Impact Variable
9
User Impact
• Custom inbox rules built manually from email addresses rather than the global address list will need updating – Impact Low
• Users may forget that they used their previous address for registrations on external websites – Impact Variable
• Business processes that query Active Directory for addresses matching @department.ucsf.edu (sub-optimal choice, but may exist) will no longer work – Impact Unknown
• Ability to send to external Listservs that restrict input to validated addresses will be interrupted until Listserv account is updated with new address – Impact Moderate
10
Alternate Email Servers
• There is no requirement that members of the UCSF community use the enterprise Exchange server
• A small number of units continue to operate independent email servers
• Suggestion for provisioning / cloud integration for this population:– Create [email protected] account as with other new
hires
– Existence of account will facilitate integrations that need an @ucsf.edu address, even if email function not utilized
– Inform account owner that only their @ucsf.edu address should be used for authenticating to campus-wide and integrated services
11
Domain Accountsucsfmedicalcenter.org 9381
anesthesia.ucsf.edu 529
peds.ucsf.edu 481
obgyn.ucsf.edu 447
medsfgh.ucsf.edu 416
medicine.ucsf.edu 388
orthosurg.ucsf.edu 282
. .
dentistry.ucsf.edu 79
. .
ccrc.ucsf.edu 1
chanoff.ucsf.edu 1
ebinet.ucsf.edu 1
clinlab.ucsfmedctr.org 1
uap.ucsf.edu 1
Alternate Email Domain Statistics
12
Visual Impact of Email Domain – Mac Mail
Example from Mac mail client of a message addressed to recipients in four unique email domains. The domain identity of the recipients is not visible in the user interface
13
Visual Impact of Email Domain – Outlook on Windows
Same example using the Outlook email client on a Windows computer
14
Visual Impact of Email Domain – Outlook Web Access on Windows
Same example with Outlook Web Access (OWA) in a Firefox browser window
15
Visual Impact of Email Domain – IOS
Corresponding example on an iPhone
None of the clients surveyed displayed the recipient’s email domain under normal operation
16
Recent Integration Challenges
• UCSF Box – Box expected a single primary domain
– Two UCSF staff members a month resolving complication, delaying the implementation
• Cisco Unified Communications (new phone solution)– Unable to build Uniform Resource Identifier (URI –
analogous to internal phone number) from primary email address because they require single domain
– Ad hoc heuristics are in development to pick ‘correct’ @ucsf.edu address from among multiple candidate secondary addresses
17
Recent Integration Challenges
• DocuSign– Reached internal character limit processing list of
UCSF domains during authentication process
– Domains through ‘larc.ucsf.edu’ work, all domains after ‘legal.ucsf.edu’ fail
– Issue still unresolved as of 1/31
18
UCSF Box Integration
Definition of ‘Your Company’ is almost comically complex
19
Approval Process
9/26/13 – Endorsed by CTA Identity and Access Management Subcommittee
12/12/13 – Endorsed by Committee on Technology and Architecture
12/13/13 – Endorsed by Committee on Business Technology
2/6/14 – Endorsed by IT Governance Steering Committee
20
Community Input to Date
Presented to School of Medicine Clinical Chairs
Email distribution to School of Medicine MSO list
Presented to IT-Forum
Vetted with School of Nursing Leadership
Vetted with School of Pharmacy Leadership
- Vetting with School of Dentistry in progress
- Vetting with Academic Senate in progress