Email Identity Standard Proposal

February 2014

Committee on Technology & Architecture

Subcommittee on Identity and Access Management

2

Situation

• The @UCSF Exchange service provides email to 30,500 users across the UCSF enterprise

• Many separate email systems have been consolidated into @UCSF, including the Medical Center and School of Medicine

• @UCSF Exchange currently receives email for 140 distinct domains

• Some units adopted ‘@ucsf.edu’ primary addresses when joining, but 73 email domains still have new accounts provisioned with their original domain.

• Rules for assigning a new individual to the appropriate domain are inconsistent, and process is completely manual

3

Consequences of Current Situation

• Delays the manual creation of new accounts

• Barrier to implementing automated processes for account provisioning

• Rollout of new services and integration with cloud service providers are more complicated and often delayed

• Movement of individuals between units results in change of email address. This is increasingly problematic as cloud service adoption at UCSF grows

4

Target• A uniform primary @ucsf.edu address for all

members of the UCSF community

• Continuous delivery of email sent to all historical addresses in perpetuity

Benefits• Simpler experience for UCSF community

• Uniform, recognizable brand to patients, donors, colleagues, and recruits

• Fewer changes - move within organization does not change email address

• Simpler account provisioning logic - faster turnaround and facilitates automation

• Single email namespace more closely matches cloud service integration requirements

5

What is a Primary Address?

• Is the main email address published within our directory service (Active Directory)

• Is the address that is displayed in the global address list (GAL)

• Is the ‘From:’ address on outgoing email

• Is frequently used by cloud service providers as the most obvious identifier for account belonging to UCSF personnel

6

What is a Secondary Address?

• An alternate email address published within our directory service

• An account can have more than one secondary address

• Email is accepted and processed normally for all secondary addresses in addition to the primary

• Every account that doesn’t use @ucsf.edu as the primary has at least one @ucsf.edu address as a secondary

• Over 1200 accounts have multiple @ucsf.edu secondary addresses

7

Proposal• New individuals joining the UCSF community

will receive a first.last@ucsf.edu primary address– Alternate domain addresses will no longer be

provisioned as a secondary for new accounts

• Existing UCSF individuals not using @ucsf.edu as a primary:– Secondary address populated with their current

email address

– Primary address set to first.last@ucsf.edu format

– UCSF Listserv memberships updated with new primary address

– Directory systems (CLS, SIS, etc) updated

– UCSF Box, and other cloud service accounts updated

8

User Impact

• Email sent to prior address or new address will be delivered to a single mailbox – No Impact

• Loss of identity and ‘branding’ associated with domain suffixes on outgoing mail – Impact Variable

• Individuals may want to update business cards and other print collateral – Impact Low to Moderate

• Individuals external to UCSF may notice their address books have populated multiple entries for UCSF correspondents – Impact Low

• Individuals reassigned addresses like first.last2@ucsf.edu, first.last3@ucsf.edu, etc. as their primary address due to name collisions may be dissatisfied with the outcome – Impact Variable

9

User Impact

• Custom inbox rules built manually from email addresses rather than the global address list will need updating – Impact Low

• Users may forget that they used their previous address for registrations on external websites – Impact Variable

• Business processes that query Active Directory for addresses matching @department.ucsf.edu (sub-optimal choice, but may exist) will no longer work – Impact Unknown

• Ability to send to external Listservs that restrict input to validated addresses will be interrupted until Listserv account is updated with new address – Impact Moderate

10

Alternate Email Servers

• There is no requirement that members of the UCSF community use the enterprise Exchange server

• A small number of units continue to operate independent email servers

• Suggestion for provisioning / cloud integration for this population:– Create first.last@ucsf.edu account as with other new

hires

– Existence of account will facilitate integrations that need an @ucsf.edu address, even if email function not utilized

– Inform account owner that only their @ucsf.edu address should be used for authenticating to campus-wide and integrated services

11

Domain Accountsucsfmedicalcenter.org 9381

anesthesia.ucsf.edu 529

peds.ucsf.edu 481

obgyn.ucsf.edu 447

medsfgh.ucsf.edu 416

medicine.ucsf.edu 388

orthosurg.ucsf.edu 282

. .

dentistry.ucsf.edu 79

. .

ccrc.ucsf.edu 1

chanoff.ucsf.edu 1

ebinet.ucsf.edu 1

clinlab.ucsfmedctr.org 1

uap.ucsf.edu 1

Alternate Email Domain Statistics

12

Visual Impact of Email Domain – Mac Mail

Example from Mac mail client of a message addressed to recipients in four unique email domains. The domain identity of the recipients is not visible in the user interface

13

Visual Impact of Email Domain – Outlook on Windows

Same example using the Outlook email client on a Windows computer

14

Visual Impact of Email Domain – Outlook Web Access on Windows

Same example with Outlook Web Access (OWA) in a Firefox browser window

15

Visual Impact of Email Domain – IOS

Corresponding example on an iPhone

None of the clients surveyed displayed the recipient’s email domain under normal operation

16

Recent Integration Challenges

• UCSF Box – Box expected a single primary domain

– Two UCSF staff members a month resolving complication, delaying the implementation

• Cisco Unified Communications (new phone solution)– Unable to build Uniform Resource Identifier (URI –

analogous to internal phone number) from primary email address because they require single domain

– Ad hoc heuristics are in development to pick ‘correct’ @ucsf.edu address from among multiple candidate secondary addresses

17

Recent Integration Challenges

• DocuSign– Reached internal character limit processing list of

UCSF domains during authentication process

– Domains through ‘larc.ucsf.edu’ work, all domains after ‘legal.ucsf.edu’ fail

– Issue still unresolved as of 1/31

18

UCSF Box Integration

Definition of ‘Your Company’ is almost comically complex

19

Approval Process

9/26/13 – Endorsed by CTA Identity and Access Management Subcommittee

12/12/13 – Endorsed by Committee on Technology and Architecture

12/13/13 – Endorsed by Committee on Business Technology

2/6/14 – Endorsed by IT Governance Steering Committee

20

Community Input to Date

Presented to School of Medicine Clinical Chairs

Email distribution to School of Medicine MSO list

Presented to IT-Forum

Vetted with School of Nursing Leadership

Vetted with School of Pharmacy Leadership

- Vetting with School of Dentistry in progress

- Vetting with Academic Senate in progress