How to resolve user name conflicts when faculty are in Active Directory and students in SunOne LDAP?
We are in the early stages of Luminis deployment. I am preparing for my test install.
Our faculty have Active Directory accounts and Exchange mailboxes. Our students will have Luminis (SunOne) accounts and CommExpress mailboxes. The question that has come up is this:
If the GOATPAD Third Party ID (GOBTPAC_EXTERNAL_USER) is the authoritative source for all Luminis user id's, how do we make sure that our faculty AD usernames get into that field and are not in conflict with the id's generated by GOKTPTY.F_GENERATE_EXTERNAL_USER? I can already see that we are going to have to find a way to populate GOBTPAC_EXTERNAL_USER with our Active Directory account information and there are students whose existing data will have to be superceded by a faculty username.
Our Sungard consultants are not offering much in the way of help with this delimma, which I find disturbing, since it must come up in other engagements.
Has anyone out there got a non-manual solution to this problem, or is this really not something that others are doing?
Ben Hall
Director of IT
Central Georgia Technical College
Macon, GA
Hack Your Knowledge
Recent blog posts
- Luminis IV GCF Single Sign On with OSX=Failure PC=Working
- Cisco 4710 - Load Balancer
- First CPIP - ERROR
- Luminis Developer Job Available w/ Stable Organization
- Luminus Developer Job
- SSO to SSB mixed content error in IE
- Avoid email sending when add or delete user from group
- Luminis components
- Luminis 4 & Groupwise 7
- Luminis Developer Needed for Position w/ Stable Organization
Developer Links
Poll
- Login or register to post comments
- Older polls
Syndicate
I'm not sure I totally
I'm not sure I totally understand your question.
As you say, if you are using external validation then you need the GOATPAD Third Party ID to be the authoritative source for all Luminis user id's. That was a huge cultural shock for us. But having done that, Banner itself will assure that there are no duplicates.
Our situation is a little different from yours in that we are using AD for everybody - faculty, staff, and students - and our Luminis uses external validation for everybody. That means two things: 1) when converting to Luminis, we had to load all legacy AD id's into GOATPAD rather than having Banner generating the id's in GOATPAD, and 2) when creating new AD accounts, we extract the id's from GOATPAD.
So I think you have already outlined the required solution.
The extraction of id's from GOATPAD to create AD accounts has raised a lot of issues about how early in the hiring process for employees and how early in the admissions process for students are the Third Party id's created in GOATPAD. We have had to well understand the Banner process for creating the id's and also to engage the appropriate functional offices in being sure they do everything they need to do to get the id's generated.
I would mention that one additional complication we have encountered is that we have quite a few AD accounts for people that are not in Banner. At first blush, that may seem counter-intuitive. But the kinds of people on our campus who are not in Banner include bookstore employees (outsourced bookstore), cafeteria employees (outsourced cafeteria), faculty from other institutions who teach on our campus (we are a two-year school and we have two-plus-two programs on our campus with a couple of four-year schools), students from other institutions who take courses on our campus (the two-plus-two programs again), and what we call dual service employees (teach for us and also another school, but the paycheck comes from the other school). These people have to have AD accounts because we require an AD account for everyone who does anything whatsoever on our network (you can't use a PC without having an AD account), plus we create E-mail accounts for everybody that has an AD account. For example, we might need to E-mail these people that the college is closed because of snow, even though they are not in our Banner system.
We handle these "foreign" AD accounts fairly manually. For most of them, we create them an AD id in a format that can't possibly conflict with an id generated in GOATPAD by Banner. For a few of the categories of people, we actually do put them into Banner with no roles whatsoever, just to get an id generated in GOATPAD.
You are correct that most SunGard consultants do not understand these issues, neither the relationship between Luminis and Banner nor the relationship between Luminis and an external directory such as AD. The approach seems to be that external validation is a tool that you can use, but it's outside the norm and you are on your own if you choose to implement Luminis that way. I have lobbied with SunGard that full integration of Luminis and Banner into an enterprise directory, indeed full integration of Luminis and Banner into an enterprise identity management solution, should be the norm and should be fully embraced and supported by SunGard. I don't think you really have a Unified Digital Campus until you have that kind of identity management integration. But that holistic view of total identity integration is not the current SunGard approach.
Duplicates
The problem is this - we use the standard naming convention for our faculty and staff (i.e. first initial, last name). These accounts are created in AD before anything is keyed into Banner. (We have been putting everyone into Banner for other home-grown web apps for a while, so that isn't as much of an issue for us, though it certainly would be if we weren't doing it already.) What we have not done is populate GOBTPAC_EXTERNAL_USER with our AD account names for faculty and staff. We have done this for students because prior to Luminis, we batched student email accounts to an external provider using the GOBTPAC_EXTERNAL_USER value.
Banner could be the authoritative source of all usernames, except:
1. Many of our existing AD account names are already populated in Banner and belong to students.
2. I don't want our faculty and staff having usernames that are exactly 8 characters long and end in numerics.
I am working under the assumption that the naming convention for students and faculty will have to be differentiated somehow to avoid this. (Major modifications to f_generate_external_user). And because faculty and staff can make my life more miserable, they are going to get to keep their usernames and some existing student usernames will have to change before we implement.
Does that make more sense?
Thanks,
Ben
GOBTPAC_EXTERNAL_USER
If you already have duplicates between Banner and Active Directory, you will have to decide who gets to 'keep' their login name if you want to maintain this data in Banner (and I agree that staff will put up a bigger fuss on this than students, so it will probably be the student account that changes).
Ideally, you will want to have Banner generate the login name/Third Party ID value before the A.D. accounts are created, and then use this to create the A.D. login credentials. As mentioned earlier, Banner has validation checks in place that will ensure that no duplicate names are assigned.
Keep in mind that this validation check includes changes to a person's Third Party ID - so if Mary Smith (msmith) for some reason gets a new login name (msmith2), no-one else can use msmith as this is captured into the audit table tied to the GOBTPAC table. So unless you clean out the entries in the audit table (which SGHE recommends you not do for audit purposes), you'll have to assign Mary Smith yet a different name that is not taken. You could run cross-sql's against both tables to delete out the specific records, but this then affects your auditing trail for this activity.
Oh, and you're not restricted to 8 characters for the login name length - the GUAPPRF form in Banner General 7.4 now allows you to set how long this generated value will be (up to 32 characters max I think). If you're on an earlier version, you'll have to modify the pl/sql function that generates this value. I know that some schools have even go so far as to modify the generated login name format specified in the function to match what they currently have in place (ie - first name.lastname).
Alice Kim
Food for thought...
We are on General 7.4 and I was not aware that they had added that GUAPPRF option to alter the length of the generated id. That may be helpful. My thought was that we would modify the function that generates the third party id to always include a trailing number. That way, our students would never wind up with a username that exists in AD (no numeric characters in our AD usernames). Then we could manually change the third party id for faculty and staff without running into duplicates. I shudder at the thought of making Banner authoritative for all faculty/staff account creation as jbryan suggests, but perhaps that is the "cleanest" solution in the long run. You have both given me a lot to think about. Thanks,
Ben
Cultural Shock to work with Banner
The duplicates you are just going to have to cope with, probably by changing the ID's for some of your students. I would make the following additional comments.
1. We went to 32 character usernames as previously described in this thread.
2. You state "These accounts are created in AD before anything is keyed into Banner. " Well, we used to do the same thing. We don't any more. The only way to allow Banner to manage the namespace for AD accounts is to allow Banner to manage the namespace for AD accounts. That's one of the humongous cultural shocks of integrating Banner, Luminis, and AD. It is now the case for us that AD accounts cannot be created until the person is in GOATPAD in Banner. So our HR office *has* to put people into Banner before an AD account can be created. They don't have to put everything about the person into Banner, but they have to enter enough to get the Third Party ID generated in GOATPAD. The HR office previously only worried about getting new hires into the system before the first payroll run after they were hired.
3. The exception to #2 for us is newly hired adjunct faculty (part-time faculty). They are often hired and are teaching before HR even knows about them. So we adopted a procedure whereby one Dean and his secretary can put enough information about a person into Banner to get them the Faculty role without the Employee role, and to get them their GOATPAD entry. HR still has to "hire" the part-time faculty before they are paid, etc., but we *have* to have the GOATPAD entry for newly hired part-time faculty more quickly than the HR office can respond.
4. Obviously, items #2 and #3 beg a serious Business Process Analysis. The paperwork flow that we use to hire people is pretty crazy, but it's the way it is for historically practical reasons. I'm hoping that in time we can leverage the Banner project to rationalize the paperwork flow we use to hire people and to make it an electronic workflow.
5. Entry of new students into Banner and AD is much more automated, except that it is the case even with students that they *have* to have their AD account before they can do anything on our campus. Our Admissions office has historically been informally "holding" student applications by not entering all their data, thereby in Banner preventing their GOATPAD entries from being created. Now with Banner, Admissions has to fully enter the student, then use the Banner mechanism to put the student on hold. Again, this was a major cultural shock which begs a serious Business Process Analysis.
6. Finally, previous to Banner/Luminis, we had a different username format for students than we had for faculty/staff. We didn't necessarily "have to have to" change this procedure. We could have changed the script that Banner uses to generate the userid (indeed, we already changed it to go from 8 to 32 characters). But with people very fluidly changing roles from student to employee, from employee to student, and with people having all kinds of multiple roles, it made sense to me at least to have one big, common namespace with the same userid format for everybody. That way, when a person's role(s) changed, their userid didn't have to change. And a lot of security and permissions in Luminis and Banner are role based, so this approach works very well. I'm the VP, so I could make this decision. I think it's fair to say that the SysAdmins who take care of our AD, our Exchange server, our Luminis server, etc. did not agree with this approach. It created some very challenging practical and technical problems for them in the short run. But I'm persuaded that it was the right decision for the long run.
Your comment
I am a functional consultant for Luminis and the functional lead for the implementation at Central Georgia Technical College, unfortunately Ben's question is out of my scope but it is in the scope of our technical consulting staff. Can you tell me the names of the Luminis tech consultants that you have been working with? Our tech team leader's name is Mike Bates, It maybe a good idea for you or any other client facing these issues to contact him and set up a meeting to try to find an answer to your questions.
Hi Ben
Have you tried contacting Mike Bates, our tech team lead about your question?