Andrew For Life (2002)

October 6, 2002; $Id: afl.html,v 1.1.1.1 2003/02/25 19:35:04 wcw Exp $

http://yendi.cc.cmu.edu/work/eflv2/afl.html

1.0 Introduction

Andrew For Life (AFL) undertakes the project to extend the computing infrastructure to Carnegie Mellon community members. Example community members are alumni, prospective students, parents, research partners, etc. We believe that fostering and maintaining the relationship with individual and providing the framework within which they can continue to participate in the Carnegie Mellon community will be mutually beneficial and rewarding.

There are several dependencies with other documents:

In particular to extent the relationship with students beginning from the time they apply and then throughout their lives. Life begins, after all, when you apply to Carnegie Mellon.  There are others though, beyond students that are members of the Carnegie Mellon community: research partners, community development partners, trustees, members of advisory boards, those donating to the University, executive students, part-time or temporary employees, summer students etc.

Initially the project provides specific services to applying students and graduating alumni while retaining services to existing staff and students In addition the project provides the framework for offering different subsets of Andrew services to different member groups by providing for an authorization framework maintained via the Campus Directory Service.  See Appendix C for a list of perspective services appendix B for a list of potential member groups. The project also provides for ways to adjust policy concerning services provided to groups by a (with some guidance from RBAC).

Andrew for life requires some policy changes, additional funding, new software offerings, changes to existing services and significant changes to Computing Services software infrastructure.

1.1 Students, user-ids, email addresses

Applying students require limited access to Andrew services. The first is a unique user-id that allows them to authenticate in a secure way. Today we think of this as the Andrew-id and typically assign them to arriving students. The user-id gives applying students access to two other core service, web content and email. The web content may provide deeply personalized information like admission status and financial support status but also might provide access to more general information like campus phone numbers, dorm locations etc. Incoming students will also need email addresses, today the convention provides and email address of the form andrew-id@andrew.cmu.edu

Offering email entails offering some kind of client support, the simplest to support is a webmail interface since it requires no configuration support and no software distribution. A policy decision may be to limit access to only webmail for off-campus members. Another support stance is to require new students to enroll in auto-password resetting. This service will enable students to reset their passwords to a known value (SSN?) by answering some secret questions. The importance of this offering really extends after a student leaves CMU since password resets are a frequent support issue.

All the other Andrew services are at least at the moment unavailable until a student is accepted and commits to the admission.  Customization within today's policy is when a student arrives on campus they have the opportunity to customize an email address once to the form cmu-name@cmu.edu. With customization via Andrew for life what happens to the cmu.edu namespace? See section 12.8

When a student graduates, their relationship with CMU changes. All the services generally necessary to live on campus are reduced. An alumni is again generally reduced to having a user-id, an email address and having access to alumni specific web content

2.0 Changing user-ids and email addresses

We expect to support more frequent user-id and email address changes. Today our policy and underlying technology make it difficult for clients to change identities or email addresses.   The demand for changes is modest because of our relatively short relationship with students and many staff members, that is a few years.  Still things happen, people change their names legally or get user-ids automatically generated that are somehow offensive. Andrew for life changes these rules. More user-ids will be in use and the user-id will be in use longer. This will make one or more user-id or email address changes likely.  We also want to offer a higher degree of personalization. All this requires us to allow for more frequent   changes, email address changes and for potentially the transferring of user-ids from one person to another. 

This is difficult with majority of our services that have been constructed with the notion that once you get a user-id it never. The accounts systems DAMS, the underlying operating systems and most applications are built with this assumption. We also generally make the assumption that possessing a valid Andrew user-id gives the owner access to all Andrew services.

We can make user-id changes less common, in particular by providing new students with an ability to choose an identity and good guidelines (and enforcement) for picking them. I can imagine that bighairydudewith2tatoos be a very compelling identity at 18.

A flexible notion is to separate identity from user-id and email address. The identity is very similar to the US social security number. It is a unique identifier attached to every unique person. The current Campus Directory has such a notion. A 128 bit GUID is assigned to every person and user-ids, email addresses etc are associated with that identity.   Things like authorization lists and mailboxes can be built using an underlying and unchangeable identity, while the directory service provide the ability to provide mapping.

3.0 Service and Policy

You can't offer services without offering support for those services and you must have policy to deal with extra-ordinary use of those services, either abusive use or over use or un-intended commercial use. Additionally there are issues enforcement of policy and its consequences. Imagine a wealthy alumni running an illegal or for profit service and threatening legal action when their user-id is disabled. 

Who answers the phone when alumni call for help and what expectations are reasonable. Can alumni pay for support and where does the money go?

Having good demographic information about all Andrew users is necessary for limiting liability through abusive use, policy enforcement and determining level of service.

4.0 Continuing funding, capacity planning

The existing base of Andrew users is somewhat predictable in size and utilization of underlying computer and networking resources. Decreases in the cost of computing have made support the growing needs of a relatively stable base affordable within the existing funding model. The addition of an external and ever increasing client base will likely require a different funding source. See section 12.

5.0 More on authorization, entitlements and roles

Our notion of an Andrew account providing everything to everybody needs to change given economics and the expansion in clients discussed above. Not every group has the same set of entitlements due to financial, legal or supportability considerations. See section C for a partial list of entitlements.

What entitlements an individual gets really depends on the roles they fill with Carnegie Mellon. Some roles are official in nature and can be derived from HRIS and SIS feeds, for example a fulltime and enrolled student in Pittsburgh. Other roles, like network administrator or project manager are maintained outside of our regular sources of data.

For example today we attempt to license software on a site-wide basis, buying to for all 15000 or so active accounts. We can’t extent this outside of this number without occurring real additional costs. Also very little software is actually used this way and we maybe able to save money by licensing to smaller portions of our community. There will also be increasing difficulties with Geographic dispersion, remote students and remote employees, different legal issues, currency, national security concerns. An entitlement of “Can download SAS” might be granted to fulltime students, CIT faculty and SCS faculty.

Roles of network or computer administrators would allow individuals to register computers or download software on behave of others. Their role allow them to grant entitlements to others.

All this dictates some changes to our user accounts system, DAMS and campus directory.  The various entitlements available to Andrew users that are of   will need to be specified and organized into common subsets and associated with the set of roles we denote. 

6.0 How it will all work - getting a user ID, changing it, retiring it etc. 20,000 ft. View

All new users are given an Assigned User-Id (AUID) and an identity.  We will pick an algorithm for name creation that many folks may be able to live with without change, e.g. Poepping423 or Dopiraktg34. The exact format of the AUID does not matter as long as it is it will be reasonably unique until the end of time.

Users are then given the opportunity to overlay their AUID to a Personalized User Id (PUID).  The PUID is any character string that the user wishes to choose that is not already in use by a previous AUID or an in use PUID. The Assignment of a PUID is essentially a name change and will trigger a lot of activity in underlying systems. The AUID is preserved in the namespace. All users, students, staff, faculty and friends will be follow the same process but the recycling and PUIDs for staff maybe occur quicker

The user will be able to keep the PUID until such a time nthat the user no longer participates in the Carnegie Mellon community.  The PUID is then retired and eventually made available for reuse.

The user will be allowed to reactivate the AUID if he returns at a later date but will then be treated as if that AUID had just been created: meaning that all email and all aspects of their Carnegie Mellon University entitlements will be based on their role at that time. If the former PUID is available, then the user may select it.

All underlying systems will need to be constructed to support the creation, modification and deletion of AUID/PUIDs and email addresses. Most likely this will occur as a side effect of changes being made in the campus directory and each underlaying application and system will be notified via an asynchronous event delivered to an application/specific event handler

6.1 More Details

The user is not required to change the AUID. If they are fine with it, that's fine with us.

If the user selects a "bad" PUID, the user may change the ID but there will be a penalty fee charged to discourage this activity and some policy which makes frivolous changes difficult. The fee may increase for each additional change.  The exact fee schedule has not been determined but the point of it is to discourage frivolous changes.

Note that the ability to change have PUIDs and change them adds much complexity to the email for life endeavor but personalization is the whole point. The PUID is used as a unique identifier in many underlying systems.

The exact determination of when a user stops participating has not yet been determined. It is likely to be keyed off of the last time a user authenticated.  We expect this the duration to be years though.

There will need to be a quarantine period on the PUID. During this period, any email sent to the PUID will bounce with a notice that the ID is no longer in use.

When changing the AUID to the PUID and any subsequent PUID changes, the id will likely be unavailable for a certain period of time -- probably less than 24 hours – as the rename takes place.

Some alumni will still choose to forward their email to another location.  Just like existing users have the option of forwarding their email, so would Alumni users. The only "annoyance" for the Alumni user is that they would likely have to authenticate (or do whatever is necessary to show that they are continuing to participate).

7.0 Requirements Analysis

7.1 Why this plan is good

  • Feedback to alumni relations was that students develop a tie to their current userid (AUID/PUID). Why should people have to relearn a new email address, especially if there is a desire to keep the individual participating in the CMU community?
  • Current students are not forsaken for past users that never use the system.  We could just assign userids to everyone.  However, that can generate a fairly large political mess. Plus, that means that students down the road will have "ugly" ids such as JoeStudent2345689 instead of having the shorter/better/more memorable id of 'jstudent'.
  • While it is possible that this service will be so popular that a high percentage of alumni will continue to participate in the community and so we haven't won anything.  However, our guess is that it is likely that a non-trivial percentage will have their PUID recycled... and if we are wrong, we are no worse off.
  • This is not an email specific solution. If Alumni relations want to offer additional services, such as web hosting, computer cluster access, or other extended services as they arise, we would have created a sound foundation for this growth.
  • Death is handled in the same way as if a user decided to stop participating in the community. This way we just don't have to keep track of it explicitly. We have the option to add a flag to indicate death so the proper annotations can be made.

    7.2 Why this plan is bad

  • It is a lot of work and is very different from our existing world view
  •  We need to get people to be sure to use the Directory to determine authorization information. Given that ids can change, if a careless application developer uses the ID then they could inadvertently grant access when it should not be granted (or deny access)

    7.3 Alternative Plans

    The following is a list of plans that were discussed but rejected.

    7.3.1 Separate alumni domain

    This is the current model used by alumni relations, that is the domain alumni.carnegiemellon.edu. Students don’t get to keep their current id, but have to sign up again.  We could still do this but provide a smoother transition from graduating senior to their alumni for life id.  At the time that the current email solution was chosen, Alumni Relations declined to pay or engage Computing Services on how to make this transition smoother.

    7.3.2 Just don't delete ids

    We could just not delete ids. However, this creates an undue burden on Computing Services. Instead of reclaiming the resources that used by at least 1000 users, we need to continue to support these users. This also leads to the problem in 3.2 where current students get "ugly" ids while people who haven't used the system in 5 years have the "good" ids.

    8.0 Projections regarding

    8.1 Highest use case scenario

        Existing Andrew IDs:        60,000
    

        Alumni without Andrew IDs:  30,000 (per Martha Baron)

    Existing Andrew IDs calculated by the fact that we've created about 65,000 Andrew IDs at this point. We round down by 5,000 for random faculty/staff that won't get their ID reactivated.

    Let's assume the average age of a graduating senior is 21. Let's say that average life expectancy is 85.  So it will take 64 years before the increase of user stabilize.

    Let's assume the average number of students graduating (including graduate students) is (at most) 2000. This project doesn’t account for a huge increase in distance students

    So, 64 years times 2000 students or 128,000. Add that to the current base of 90,000 from above then we get 218,000. So let's round up and say 250,000.

    So worst case just counting students, we have about 250000/15000 16.6x more active users than before.

    In general, we can probably assume that Moore's law will allow a consistent hardware funding level to keep the steady state. However, the economics predicted by Moore's law clearly does not extend to staff time. 

    9.0 Work items  -- 47 months of effort

    As mentioned above, at this point in time, authentication and authorization are very closely tied with each other.  Specifically, if you can identify yourself as a valid 'Andrew' user then almost all services allow you to have access. This and the inc.

  • >Unix login (2 months) - use directory instead of fixed Andrew files for authorization and login

  • Cyrus access (2 months) - use directory

  • DAMS   (6 months)

  • Application changes for user-id changes and authorization changes (12 months)

  • Directory Work (6 months)

  •  Migrate PTS groups to LDAP representation (3 months)

  •  Acceptable Use Policy/Punishment plans (3 months)

  •  Password Hint/Email password/Reset Password (2 months)

  • Backporting old users (2 months; ? migration)

  • Rename code (3 months)

  • Clusters login (2 months)

  • Roles and Entitlements mapping (2 months)

  •  Re-implement Trigger delivery service (2 months)

  •  Changes to Usrmgr (2 months)

    10.0 Open Issues

    10.1 Support

    How do people get support? Support ranges from how do I do something to I forgot my password.  How is contact between the user and the system maintained? Possible tracks include funding for the Help Center to maintain someone to receive phone calls for alumni, forcing all incidents to go through email and have a pay per drink support, enhancing current web/email support and providing only that, etc. etc. Biggest issue is probably forgotten passwords. How do we deal with this securely? What if somebody wants more quota , is there policy for this?

    10.2 Policy and Abuse

    Drafting the acceptable use policy. Does data in the account belong to CMU after graduation? IP issues?

    Abuse? What kind of stick do we have? Account blacklisting? Who eats the cost of abuse? Billable to Alumni relations?

    10.3 Quota

    How much quota do we give? Hardware cost for something backed up is about 7 cents per MB.  I presume we start with Email but will want to be able to roll out Web, AFS and/or other shared space... probably delivered at around the same cost point.Quota will likely have a direct relation to the internet bandwidth consumed. Current costs are $350K for about 7MByte/sec.

    10.3 Software Licensing for Core services

    Software vendors may charge per active user. A prime example is anti-spam/anti-virus. These services tend to cost significant money - on the order of $3/user for just anti-virus.

    10.4 Funding in general

    How will we be able to sustain the growth? One idea was that the first few years after graduation are free; let the alumni settle in to their jobs and not feel 'nagged' or ripped off by CMU. Last thing many graduating students want to do is give CMU another cent. After this free ride time expires, then charge an annual fee.

    10.5 Reactivation

    It might occur that an account is expired and then is requested to be reactivated.  Who processes the request? How is identity verified? Is there every a situation where information from an account is archived?

    10.6 CMU.EDU

    What are we going to do about CMU.EDU namespace?? There’s no good answer at this point. The background is that CMU.EDU namespace was the place where people could create their vanity email addresses. The names should be going through the same quarantine and reuse period as s proposed with this system. If we have a new system where people can create their own IDs, does CMU.EDU have a place in it? Should we try to create a CMU.EDU name that matches the user's PUID? The CMU.EDU name is nice to have since it is nice and short and one can argue that if a user has a CMU.EDU name then they are likely going to want to keep using it.

    10.7 Access to Alumni Directory Data

    Once alumni data is in the directory, who gets to see it? Can alumni search it, students, internal administrators?  What is the policy is this area. What happens to the historical data in a student’s record? Is the data about on campus or home addresses deleted or archived or is it just replaced by alumni data when it arrives. We need to get both alumni data and good “graduation” data.

    10.8 Directory Aware Applications

    Making a lot of Applications Directory Aware, training, documentation, policy we need to get people to be sure to use the Directory to determine authorization information. Given that ids can change, if a careless application developer uses the ID then they could inadvertently grant access when it should not be granted (or deny access).

    10.9 Getting Good data About Alumni

    We will need to interact with existing alumni systems so that we can retain reasonably up to date information about an alumni's where-abouts, we may even want to give alumni a change to submit changes to this.  This is important because our accounts management system is directory centered and requires an amount of quality information about people in the directory for uniqueness to occur, we need to be more aware of changing the affiliation of somebody to ALUMNI when they graduate and get good information about what department they graduated from. This brings up the sticky question of historical data. Suppose someone graduates and their department is renamed or is eliminated?  Standard datawarehouse practice tends to keep the original historical name plus the contemporary one.

    10.10 Reducing Entitlements

    Graduating students will have their entitlements reduced by not eliminated. This is new functionality throughout our systems because it is a change from our all or nothing entitlement strategy.  So what do we do with all the data that the person is no longer entitled to have?  How to we purge mailbox down to 10% of its quota?  Do we allow others to take ownership group data belong to a person.

    Appendix A: Recommendations for the AUID

    The AUID should be reasonably unique until the end of time. However, the hope is that many users will not chose to create a PUID so we should make the AUID as useable as possible.

    To be friendly, the first part can consist of a person's first name plus their last initial, their initials, or some other form of their name.  It would probably be a good idea to limit the first part to be 6 characters or less.

    The uniqueness requirement can be addressed by tacking on numbers to the end of the first part.  Eliminating the digits '0', '1', and '8' would be good to avoid confusion with 'o', 'l', and 'b'.  Having 4 digits should allow 2,401 combinations for each first part.

    It should be trivial to add another digit in the event that 2,401 are insufficient. As such, one should *not* assume that the maximum AUID length is 10 characters.

    Appendix B: Classes of Users (Roles?)

    Students

    Staff and Faculty

    Alumni

    Proto-Freshmen (applied not accepted)

    Pre-Freshmen    (accepted not-arrived)

    Trustees

    Guests

    Group owned accounts (Departmental Accounts)

    Students, Staff, Faculty on leave

    Sponsored accounts (paid research accounts)

    Friends of Computing Services

    Friends of Carnegie Mellon

    Part-time students, faculty, staff

    Courtesy appointments

    Friends of Technology transfer, etc.

    Folks that have pre-Kerberos machines and AD only accounts

    Pre-college (summer students)

    Students at remote campuses

    Distance Learning students

    Appendix C: A partial and CS oriented list of Entitlements

    . A kerberos principal name, the heart of our authentication system

    . Andrew Unix file space

    . Andrew Windows file space (planned for DSP customers)

    . AFS Project volumes

    . Web publishing collections

    . Sponsored computer accounts

    . Can sponsor a club accounts

    . Mulberry Address Books

    . Cyrus mail storage

    . Andrew Calendars

    . Personal web collections on www.andrew.cmu.edu

    . Personal Groups, owned administrative groups

    . White Pages data

    . VPN access

    . Dialup access into Main campus modem pool

    . Request Guest accounts

    . Register computers (wired and wireless) in Netreg

    . Create bboards and majordomo lists

    . Create Remedy incidents and maintain history

    . Retain Portal preferences

    . The right to download Site licensed software

    . An account of with Active Directory that supports legacy clients (W95)

    . Can register for classes online

    . Can create a blackboard course

    . Get help desk support

    . Authbridge access

    . Print to cluster printers

     

    Appendix D: Grouping of users from the Campus Portal Project

    STUDENTS

          Undergraduates

          Graduates

                 Masters

                 Professional Masters

                 PhD

          By College affiliation

          By Major department

          Disabled students

          Non-Pittsburgh students

                 Silicon Valley

                 Greece

                 Brazil

                 India

                 Mexico

                 Distance Ed students

          Executive Education

          Ad hoc student groups

    PROSPECTIVE STUDENTS

          Undergraduates

          Graduates

                 Masters

                 Professional Masters

                 PhD

          By College of interest

          By Focus Segments (there are many more than are listed here)

                 Ethnic Minorities

                 Women

                       In Science

                 Legacy

          Prospective disabled students

    EMPLOYEES

          All current employees

                 Non-Pittsburgh employees

                       DC

                       Colorado

                       New York

                       Silicon Valley

                       Greece

                       Brazil

                       India

                       Mexico

                 Disabled employees

                 Benefit-eligible employees

                 TES employees

                 Former employees

                 Family of employees

                 Ad hoc employee groups

    FACULTY

          All current faculty

          Tenured / Non-tenured

          Emeriti

          By College

                 By Department

          Post docs and fellows

          Visiting scholars

          Special Faculty

          Adjuncts

          Ad hoc faculty groups

    STAFF

          All staff

          By department

                 Professional staff

                 Administrative staff

                 Staff at off-campus locations

                 Ad hoc staff groups

    ALUMNI

          All Alumni

                 By College (inc. Margaret Morrison)

                 By Major Department

                 By region

                 By reunion year

                 Executive Education

                 E-mail for life users

                 Board members (boards are either university-based or college-based)

                 Chapter leaders

                 Volunteers

                 Academy for Lifelong Learning members

                 CMACers (alumni interviewers)

                 SIG members (not necessarily related to major)

                 Ad hoc alumni groups

     

    TRUSTEES

    PARENTS

          Of current students

                 Undergraduate

                 Graduate

          Of prospective students

          Of former students

    DONORS

          Alumni

                 Current donors

                 Prospective donors

          Non-Alumni

    CURRENT DONORS

          Individual

          Corporate

          Prospective donors

    EXTERNAL ENTITIES (in no particular order)

          Library Patrons

                 Walk-ins (virtual and in-person)

          Library Consortia

          Alumni

          Academy for Lifelong Learning (ALL) members

          Spouses and family members of faculty, staff and students

          Visiting Affiliates

          Special Programs (for example Pre-College, PA Governor's Summer School)

          High School Counselors

          Summer Program participants

          Employers

                 By Industry Focus Segments

                 Corporate Recruiters

          Hiring agencies

          External faculty

                 Domestic

                 Foreign

          Corporations & Foundations

          Government agencies

          Media (Publicity Outlets)

                 National

                 Trade

                 Local

                 Broker Services

                 Broadcast

                 Print

                 On-line

          Interested parties

                 Researchers

                 Think Tanks

                 Other universities

          Pittsburgh Community Neighbors

          Friends of Carnegie Mellon

                 By College

                 Advisory board members

                 Opinion leaders

                 Former faculty

                 Computing Services partners

                       Corporate partners

                       Higher-ed partners

                       General Higher Ed Clients

          Purchasers of computing equipment and software

    GENERAL PUBLIC

          Special Geographic Segments

                 New York

                 LA

                 Silicon Valley

                 Baltimore/DC

                 Philadelphia

                 Boston

          Everyone else

    ChangeLog