The Core User Directory (CUD) Service
1. Summary
The Core User Directory service extends the suite of Identity and Access Management services offered by OUCS. CUD provides data Controllers with an easy-to-use source of information about users, which assists integration of the many data systems which exist within the University.
There is a growing need within the University to implement Identity Access and Management (IAM) processes. Most, if not all, identity management solutions require access to one or more sources of fully comprehensive, authoritative user data. Each user must be assigned a digital unique identity with an associated unique identifier and, for those records stored in multiple sources the unique identifier must be global in scope. Such an identifier does not currently exist within the University. CUD provides precisely the matched consolidated user data and globally unique identifier (the "CUD ID") required to support effective identity management; in this regard it is a significant precursor to achieving a full IAM solution for the University of Oxford.
In addition to supporting identity management, CUD enables efficiency and accuracy gains by establishing reliable cross-references between data related to the same person across multiple systems. This will facilitate the strategic sharing of attributes such as name and address, reducing the need to duplicate data and associated processes and improving consistency.
CUD focusses purely on establishing a reliable source of user identity information and complements the existing IAM service suite. Other identity and access management processes and functions such as account provisioning, authentication, privilege management and authorisation, lie beyond the scope of CUD.
1.1. What is CUD?
CUD provides a central reference point, a "directory," which stores information about people who are associated with the University.
CUD collects information about each person from many different data systems and stores it as records. Every CUD record has multiple attributes. For example, first name and surname, are both attributes. The more attributes stored within a CUD record the easier it is to distinguish it as unique.
Currently there is no single attribute which uniquely identifies the record for every person within the University. Nor is there any one attribute universally stored within every data source. By providing a CUD unique identifier (CUD ID) duplication of information is reduced within these systems. The CUD ID is assigned as a result of data matching, consolidation and reconciliation processes. The net result is a single CUD record with many attributes, for each person associated with the University.
1.2. What services does CUD offer?
CUD can be broken down into three main services:
- Data Harvesting: gathering information about people from CUD registered systems (primary data system)
- Data Consolidation and Reconciliation: identifying matching records from different primary data sources and highlighting inconsistencies in attribute values
- Data Presentation: making CUD data available, via a suitable interface, for data controllers to configure bespoke queries. This information includes the Foreign Key and CUD ID discussed further here.
CUD also generates and makes available the CUD ID; an identifier for each person that is guaranteed to be unique and immutable across all primary data systems, thus acting as a suitable "global unique identifier" within the context of the University of Oxford IT systems.
1.3. What does CUD do?
CUD gathers records from several primary data systems and matches them internally to identify records from different systems that correspond to the same person. It makes the rationalised data available to other systems, which can query and extract information from CUD.
A typical system will send a query to CUD specifying selection criteria and listing any desired attributes (which may have originated from more than one primary data system). CUD returns a single result for each record matching the selection criteria specified in the query. The result contains both the attributes and metadata describing the provenance and status of attributes.
1.4. What are the benefits of the CUD service?
Benefits to Data Controllers and Managers of Primary Data Systems
- Attribute Release Policies allow data controllers to determine which attributes may be seen and by whom
- CUD ID provides a means for Data Controllers to match and reconcile data with records stored in other Primary Data Systems
- Data controllers may additionally choose to function as CUD data consumers by performing queries against CUD offering the same set of benefits to them.
Benefits to CUD Data Consumers
- Access to authoritative data using a single source
- Data Controllers may configure the type, frequency and result format of queries made to CUD
- Data is checked to ensure that the data format is as expected, preventing unforeseen results for Data Controllers and their systems
- Data Controllers can determine data provenance using the meta data returned with queries
- Attributes not stored in CUD may be requested using the Foreign Key identifying the Primary Data Systems in which the attribute exists for that record.
1.5. Who is it for?
The service will initially be offered to invited early adopters (from May 2011), but will ultimately be available to all ITSS and Data Controllers (from July 2011). The selection process for early adopters is intended to engage the Data Controllers and managers of key systems providing data to CUD. These Primary Data Systems (PDS) include Student Records System, University HR System and the Development and Alumni Relations System. Integration with which is needed to ensure that CUD is valuable to CUD data consumers joining later.
All early adopters will have access to the full range of features and functionality described in the service description.
1.6. Terminology
The CUD glossary defines terms used specific to this project. CUD complies with the terms used in the glossary of the JISC Identity and Access Management Toolkit (Appendix A). Whilst not in scope for CUD, the toolkit offers a good overview and discussion of the processes used in the implementation of IAM within an academic environment.
Up: Contents Next: 2. Description of the Service
Sections in this document: