Monday, December 3, 2001
203 Mrak Hall
Agenda and Minutes
- Approval of Minutes
- Proposal to Provide Web-based Updating of the Kerberos Password
- Proposed Draft Policy; PPM 320-24, Access to Institutional Data
- Proposal on Reporting Service Unit Recharges to DaFIS
- Report on the DaFIS Channel in the MyUCDavis Portal
- Report on the Internet Payment Gateway Project
Present: Chair Robert Smiley, Mike Allred, John Bruno, Joseph Calger, Mary Duthie, Bob Franks, Michele Fulton, Janet Hamilton, John Meyer, Kathleen Moore, Robert Ono, Steve Roth, Kathi Sylva, and Caroline West.
Excused: Celeste Rose, Dave Shelby, and Abby Zubov.
Absent: Barry Klein.
Guests: Hebert Diaz-Flores, and Bill Grabert.
Staff to the Council: Randy Moory, Julie Saylor, and Babette Schmitt.
The meeting began at 3:00 p.m.
- Approval of Minutes
Chair Smiley asked the Council for approval of the October minutes. Council approved the minutes as submitted.
- Proposal to Provide Web-based Updating of the Kerberos Password - Vice Provost Bruno
- Resetting Forgotten Kerberos Passwords, Options for 24/7 Service (Word doc)
- List of process used at other Universities to change passwords
Vice Provost Bruno reported that Information and Educational Technology (IET) is investigating new ways for users to change their Kerberos passwords once they have forgotten them. The issue is becoming more critical as the campus prepares to provide more online services and single sign-on capabilities on the campus enterprise portal. The team that is working on a possible Web-based resetting solution for Kerberos passwords is working out potential security implications.
Currently a person who has forgotten his/her Kerberos password has two main options for resetting their passwords: go to IT Express in Shields Library and present sufficient identification so the password can be changed, or contact the person in their department ("departmental proxy") who has been authorized to reset these passwords. There are currently approximately 50 departmental proxies. None of the current methods provide service 24 hours per day, 7 days a week.
Bruno described several alternatives developed by IET for the Council's consideration. These include:
- Improving, streamlining, and expanding the departmental proxy process, and
- A self-service, Web-based solution.
Vice Provost Bruno cautioned that a Web-based, self-service option presents potentially increased security risks. Bruno indicated that he favored a self-service solution since it would be faster, convenient, and always available. The alternative departmental proxy method could not resolve all the convenience and availability issues. The campus will need to balance the risks with the need for greater usability and access. This issue will need to be vetted with various groups on campus.
Council asked about the number of password change requests seen daily at IT Express. Vice Provost Bruno replied that it is probably very small, but he anticipates that this number will increase as new online, secure services are implemented. Council members commented that they support a self-service method and recommended that IET move swiftly to implement this solution, particularly as the campus prepares to integrate DaFIS and Payroll Personnel System (PPS) decision support (scheduled for Jan. 7, 2002), as well as e-commerce applications into the portal. Council members also commented that the security of the self-service model could be improved by implementing a challenge-based mechanism. Vice Provost Bruno replied that this was possible but should be done only upon a password change request. Bruno reported that there are already 40,000+ account holders on campus. These accounts could not be changed in mass easily.
Proposed Draft Policy; PPM 320-24, Access to Institutional Data - Campus Data Administrator Diaz-Flores
Handout: Proposed UC Davis Policy on Access to Institutional Data (PDF)
Campus Data Administrator Diaz-Flores reported on the changes to the proposed Access to Institutional Data Policy. Since the first presentation to the AdC3 at the October meeting, Diaz-Flores has met with the Data Stewards Committee to address and make the changes requested by the Council. The policy changes were:
- Section I. The purpose was revised to reflect the basic tenet of the policy to be open access.
- The definition of data trustees reflects the need to identify a trustee for each institutional data set and the approval of the list of trustees by the Administrative Computing Coordinating Council.
- Section III requires the data stewards committee to cite specific policy or law when not granting a request to access institutional data.
- Section IV adds a discussion of the role of the misuse committee and how the data stewards committee treats violations of the policy.
- Appendices were added to the list of trustees, stewards, and custodians.
Diaz-Flores asked for Council approval of the revised policy and for the Council to sponsor the policy through the formal administrative review of new policies.
Highlights from the discussion:
- Impact of the policy on the current operational process to grant access by the administrative computing system owners. Diaz-Flores commented that the current access control procedure used by DaFIS was consistent in large part with the proposed policy. Council members commented that it would be difficult to keep wall in place in the applications that block access to the data. If access is limited by a system, a conflict with the policy may occur. Other members strongly endorsed the open access tenet of the proposed policy.
- Revoking access to data. Members discussed the distributed nature of granting access and the challenges of revoking access. Currently there is no single system or procedure that universally revokes access.
- Need for access procedures in the policy, the roles of the data stewards and data custodians, who are the campus data administrator, and the impact of IS-3. Members discussed the fact that access procedures would be better addressed on Web sites. Data stewards are responsible for granting access and data custodians would implement that decision. The role of the campus data administrator is defined in the UC Davis Administrative Computing Policy. The proposed policy addresses issues identified in IS-3 regarding data access protection.
- Trustees. Council members noted that many trustees are missing from the list in the policy appendices. Suggested additions include the Medical Center Director, the librarians, professional school deans, and the Vice Provost for Information and Educational Technology. Council directed Diaz-Flores to return to the Council with the changes in the appendices before action is taken to approve the policy.
Proposal on Reporting Service Unit Recharges to DaFIS - Associate Vice Chancellor Allred
Handout: Report on Service Unit Recharges (Word doc)
Associate Vice Chancellor Allred reported on the proposal to change how campus service units report billings for services through DaFIS. Allred reported that there is $140 million worth of interdepartmental transfers done on the campus annually. This reporting is a large problem due the difficulty the receiving departments experience when accounting for services performed for them. Allred commented that service departments often set up Web sites so that receiving departments can identify and check those services. The problem arises when the information reported to DaFIS is inadequate and the department billed is unable to determine the service performed.
The campus has a standard (described in PPM 340-20) that requires bills to campus departments to include sufficient information for the department being billed to check and verify the service. The standard is not being followed currently. Allred plans to have a new reporting requirement implemented by July 1, 2002. Through the new reporting procedure, sufficient information will be reported to meet the standard in PPM 340-20. Service departments will have two means to report. Automated feeds to DaFIS will need to supply specific information as identified in the proposal. Service departments not wishing to use those automated feeds will be required to enter each bill individually.
Council members responded favorably to the proposal. The discussion focused on the following:
- Members noted that service unit billings are the number one problem for many MSOs.
- Council asked about the anticipated impact to the departments doing billings. Allred replied that there would be work required to modify the automated billing systems currently used by departments.
- Members also asked about the differences between this proposal and the DOCS solution previously reviewed by the Council. Allred replied that the DOCS solution attempted to resolve the front-end problem that is not being addressed in the proposed solution.
Report on the DaFIS Channel in the MyUCDavis Portal - Associate Vice Chancellor Allred
Handout: Graphic of MyUCDavis page with DaFIS Channel
Associate Vice Chancellor Allred reported on the upcoming integration of the DaFIS decision support system through a channel in the MyUCDavis portal. The DaFIS channel is planned for January 7, 2002. Allred noted that other channels would be following soon, including a PPS Decision Support and an e-commerce channel that will include a FedEx air bill application and an application to enable Fisher Scientific purchases.
Highlights from the discussion:
- Council members asked whether other access to decision support systems would end once the channel on MyUCDavis becomes available. Allred replied that would not happen immediately.
- Members discussed the presentation and structure of information and applications in the portal, particularly in light of the rapid current and anticipated growth of functionality in the portal. These new types of functionality and the ability to personalize services and features of the portal will need to be planned for and carefully thought-through, with input from others on campus. Members commented that a group needs to look at the design and recommend a solution.
- Other comments focused on the need for the email client in the portal to allow users to access email from the servers from which they commonly receive email. This would require the email application to read Exchange, UNIX, Groupwise, and other email servers.
Report on the Internet Payment Gateway Project - Associate Vice Chancellor Allred and Security Coordinator Ono
Associate Vice Chancellor Allred briefly reported on the effort to establish an Internet payment gateway for the UC Davis campus. The Office of the President is working to establish a single, secure solution for all the campuses. The Treasurer's Office has received eleven responses to the RFP; Security Coordinator Ono and Allred are reviewing these responses.
The Internet payment gateway will allow campus units to do business, enroll in classes, and pay for services and goods over the Web. It could also be used by units selling things over the Web and take payment with credit cards. Allred noted that a few campus units already provide these types of Web-based services, but many are not in compliance with security standards.
Allred and Ono plan to provide another update at a later Council meeting.
The meeting adjourned at 4:30 p.m.