UMD Enterprise Directory: Business Policy


In this article

Purpose of policy

The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the UMD Enterprise Directory.

Top

Scope

This policy applies to all computer support personnel making use of UMD's Enterprise Directory. It covers information regarding the design of the Enterprise Directory, responsibilities for computer support personnel and compliance guidelines.

Top

Access request process

Applications that need Single Sign-On (SSO authentication) and information retrieval integration services should see the UMD Enterprise Directory: Requesting SSO & Integration Services article.

Top

Enterprise Directory

Document Information Tree (DIT)

The Enterprise Directory contains a single DIT which is subdivided into six branches:

People objects are created for all employees, students and affiliates (as defined in PHR) of UMCP as well as employees of UMBI, UMCES, UMES, and USMO.

The servers and services (hardware/software) which run and support the Enterprise Directory are monitored by DIT administrators on a 24x7 basis.

Top

Schema & data visibility

The schema is a definition of all object classes and their attributes contained within the directory. An annotated attribute schema can be found at UMD Directory Services: Schema. The schema may be dynamically extended through the approval of DIT and the Directory administrators. Schema testing in a staged environment will occur before and during the request for modifications. Changes will only be implemented after two weeks of successful testing with no major issues identified.

Data visibility is controlled by registering an application and associating it with various Access Control Lists (ACLs) which control the objects and the attributes of those objects that can be accessed.  Issuing applications LDAP binding credentials (dn & password) is referred to as an "authDN", however, other binding methods/protocol are supported (e.g. CAS & SAML). 

All authenticated binds must be done over a secure connection (SSL/TLS).

Top

Data update

The Enterprise Directory is updated daily with data drawn from PHR and SIS representing people who have active relationships with UMCP, UMBI, UMCES, UMES, or USMO. Students are added to the Enterprise Directory when they are "admitted with letter sent" and remain active until the next occurrence of the last semester for which they were registered. Employees, in general, will remain active for thirty days past the separation date of their last appointment. Persons needing accounts who are neither students nor employees must be entered into PHR as an affiliate by their sponsoring department.

Top

Communication

Communication will occur via the appropriate mailing lists.

Top

Root backup & disaster recovery solution

The Enterprise Directory is currently on a nightly full backup schedule.

Top

Authentication

Application needing to merely authenticate users should consider using the UM Single-Signon Service (CAS). The SAML protocol is also supported via the UMCP Shibboleth Identity Provider (IdP), a member of the InCommon federation.

Top

Enterprise Directory administrator responsibilities

The Enterprise Directory Infrastructure is composed of many different computing, administrative and consulting services. This section provides a brief description of these services and specific contact information for each. DIT installs and maintains the servers and support machines which run Enterprise Directory. Staff within the Identity and Access Management (IAM) group configure and maintain the Enterprise Directory servers for the campus Enterprise Directory. Urgent problems related to directory servers or LDAP services should be reported by calling the DIT Help Desk Desk at 301.405.1500. For general discussion, this group can be contacted via e-mail at directory-administrator@umd.edu.

The responsibilities of the Enterprise Directory Administrators are:

Top

AuthDN owner responsibilities

Top

Joining/leaving/change of role (s) within Enterprise Directory

If at any time a department decides that it no long requires an Enterprise Directory integration, the department head or application owner will need to provide a written statement (email or memo) to the director administrators indicating this. If an application owner changes (resignation, new job responsibilities, etc.), then department head must notify the directory administrators immediately of the new owner.

Top

Compliance

All Colleges/Departments/Units heads and designated administrators will have to sign a Memorandum of Understanding and the Enterprise Directory Policy in order to make use of the campus Enterprise Directory. It is the responsibility of each application owner/administrator to comply with the above specifications and guidelines. Department heads will be notified upon repeated violations by an application owner/administrator and explained the impact it has on the entire directory infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, DIT will immediately suspend the application credentials.

Top