email identity standard proposal
DESCRIPTION
Email Identity Standard Proposal. February 2014 Committee on Technology & Architecture S ubcommittee on Identity and Access Management. Situation. The @UCSF Exchange service provides email to 30,500 users across the UCSF enterprise - PowerPoint PPT PresentationTRANSCRIPT
Email Identity Standard Proposal
February 2014Committee on Technology & ArchitectureSubcommittee on Identity and Access Management
2
Situation• The @UCSF Exchange service provides email to
30,500 users across the UCSF enterprise• Many separate email systems have been
consolidated into @UCSF, including the Medical Center and School of Medicine
• @UCSF Exchange currently receives email for 140 distinct domains
• Some units adopted ‘@ucsf.edu’ primary addresses when joining, but 73 email domains still have new accounts provisioned with their original domain.
• Rules for assigning a new individual to the appropriate domain are inconsistent, and process is completely manual
3
Consequences of Current Situation
• Delays the manual creation of new accounts• Barrier to implementing automated processes for
account provisioning• Rollout of new services and integration with cloud
service providers are more complicated and often delayed
• Movement of individuals between units results in change of email address. This is increasingly problematic as cloud service adoption at UCSF grows
4
Target• A uniform primary @ucsf.edu address for all
members of the UCSF community• Continuous delivery of email sent to all historical
addresses in perpetuity
Benefits• Simpler experience for UCSF community• Uniform, recognizable brand to patients, donors,
colleagues, and recruits• Fewer changes - move within organization does not
change email address• Simpler account provisioning logic - faster
turnaround and facilitates automation• Single email namespace more closely matches
cloud service integration requirements
5
What is a Primary Address?• Is the main email address published within our
directory service (Active Directory)• Is the address that is displayed in the global
address list (GAL)• Is the ‘From:’ address on outgoing email• Is frequently used by cloud service providers as the
most obvious identifier for account belonging to UCSF personnel
6
What is a Secondary Address?• An alternate email address published within our
directory service• An account can have more than one secondary
address• Email is accepted and processed normally for all
secondary addresses in addition to the primary• Every account that doesn’t use @ucsf.edu as the
primary has at least one @ucsf.edu address as a secondary
• Over 1200 accounts have multiple @ucsf.edu secondary addresses
7
Proposal• New individuals joining the UCSF community
will receive a [email protected] primary address– Alternate domain addresses will no longer be
provisioned as a secondary for new accounts• Existing UCSF individuals not using @ucsf.edu
as a primary:– Secondary address populated with their current
email address– Primary address set to [email protected] format– UCSF Listserv memberships updated with new
primary address– Directory systems (CLS, SIS, etc) updated– UCSF Box, and other cloud service accounts
updated
8
User Impact• Email sent to prior address or new address will be
delivered to a single mailbox – No Impact• Loss of identity and ‘branding’ associated with
domain suffixes on outgoing mail – Impact Variable• Individuals may want to update business cards and
other print collateral – Impact Low to Moderate• Individuals external to UCSF may notice their
address books have populated multiple entries for UCSF correspondents – Impact Low
• Individuals reassigned addresses like [email protected], [email protected], etc. as their primary address due to name collisions may be dissatisfied with the outcome – Impact Variable
9
User Impact
• Custom inbox rules built manually from email addresses rather than the global address list will need updating – Impact Low
• Users may forget that they used their previous address for registrations on external websites – Impact Variable
• Business processes that query Active Directory for addresses matching @department.ucsf.edu (sub-optimal choice, but may exist) will no longer work – Impact Unknown
• Ability to send to external Listservs that restrict input to validated addresses will be interrupted until Listserv account is updated with new address – Impact Moderate
10
Alternate Email Servers• There is no requirement that members of the
UCSF community use the enterprise Exchange server
• A small number of units continue to operate independent email servers
• Suggestion for provisioning / cloud integration for this population:– Create [email protected] account as with other new
hires– Existence of account will facilitate integrations that
need an @ucsf.edu address, even if email function not utilized
– Inform account owner that only their @ucsf.edu address should be used for authenticating to campus-wide and integrated services
11
Domain Accountsucsfmedicalcenter.org 9381
anesthesia.ucsf.edu 529
peds.ucsf.edu 481
obgyn.ucsf.edu 447
medsfgh.ucsf.edu 416
medicine.ucsf.edu 388
orthosurg.ucsf.edu 282
. .
dentistry.ucsf.edu 79
. .
ccrc.ucsf.edu 1
chanoff.ucsf.edu 1
ebinet.ucsf.edu 1
clinlab.ucsfmedctr.org 1
uap.ucsf.edu 1
Alternate Email Domain Statistics
12
Visual Impact of Email Domain – Mac Mail
Example from Mac mail client of a message addressed to recipients in four unique email domains. The domain identity of the recipients is not visible in the user interface
13
Visual Impact of Email Domain – Outlook on Windows
Same example using the Outlook email client on a Windows computer
14
Visual Impact of Email Domain – Outlook Web Access on Windows
Same example with Outlook Web Access (OWA) in a Firefox browser window
15
Visual Impact of Email Domain – IOS
Corresponding example on an iPhone
None of the clients surveyed displayed the recipient’s email domain under normal operation
16
Recent Integration Challenges• UCSF Box
– Box expected a single primary domain– Two UCSF staff members a month resolving
complication, delaying the implementation• Cisco Unified Communications (new phone
solution)– Unable to build Uniform Resource Identifier (URI –
analogous to internal phone number) from primary email address because they require single domain
– Ad hoc heuristics are in development to pick ‘correct’ @ucsf.edu address from among multiple candidate secondary addresses
17
Recent Integration Challenges• DocuSign
– Reached internal character limit processing list of UCSF domains during authentication process
– Domains through ‘larc.ucsf.edu’ work, all domains after ‘legal.ucsf.edu’ fail
– Issue still unresolved as of 1/31
18
UCSF Box Integration
Definition of ‘Your Company’ is almost comically complex
19
Approval Process
9/26/13 – Endorsed by CTA Identity and Access Management Subcommittee
12/12/13 – Endorsed by Committee on Technology and Architecture
12/13/13 – Endorsed by Committee on Business Technology
2/6/14 – Endorsed by IT Governance Steering Committee
20
Community Input to Date
Presented to School of Medicine Clinical Chairs Email distribution to School of Medicine MSO list Presented to IT-Forum Vetted with School of Nursing Leadership Vetted with School of Pharmacy Leadership- Vetting with School of Dentistry in progress- Vetting with Academic Senate in progress