IAM in Service Catalog
This working draft document collects objectives, requirements, and current proposals in a single collaborative document.
REQ2815414 is source.
In order to provide functionality for UW Medicine, MSCA needs an Exchange Enabled security group.
This group is critical to implement:
It can potentially be used for scoping in Cloud App Security.
TBD – decrease the lag time during UW Medicine onboarding
The membership should include:
The Exchange settings should be:
TBD – No one, Anyone, Members of a specified group, list of groups or netids
The solution architecture includes the following constraints:
Note: we have asked Microsoft to increase their limit, and this ask may be tracked somewhere; Nathan posed something exploratory about this to the AAD govteam.
MSCA may have forgotten about some of the groups is this area, which they referenced in REQ1385495 to obtain access to the groups service.
These same groups are also described on this page:
If you click through to the groups themselves, none are larger than 50K. The combined population of target (people) categories is 27,594. Shared UW NetID (non-people) adds just 945 UW NetIDs.
To move forward:
1. We need someone to help MSCA confirm a mapping between the subscription codes you listed in this request and these existing groups:
13: UW Medicine Workforce = uw_affiliation_uw-medicine-workforce (n=27,438)
76: UWP Provider = uw_affiliation_uwp-provider (n=2626)
77: UWP Admin Staff = uw_affiliation_uwp-staff
80: UWPN Admin Staff = uw_affiliation_uwnc-staff (n=399)
104: NWHMC Admin Staff = uw_affiliation_nwh-staff 105: NWHMC Provider = uw_affiliation_nwh-provider
22: UW Medicine Shared UW NetIDs = uw_affiliation_clinicial-shared ?? (n=945)
Note: There is an "Audience RX" product that UWM Marketing was using that introduces a different business and technical definition of UWM workforce that includes UWP, UWPN, NWH, Valley, Workday (by box number), but not "Workforce" people as provided to IAM from UWM's Puma database integration.
Note: see also UW Medicine affiliation group transitions 2019-2020
2. There is no reference group for "22: UW Medicine Shared", so we can draft a design proposal here:
Clinical shared UW NetID group design
Note: Above MSCA team refers to "Clinical Shared NetIDs available in Azure AD" which may or may not be the same as "22: UW Medicine Shared".
Here's a near-term plan, based on the requirements, constraints, and assumptions:
Here's an alternative plan based on UW Subscriptions like is done to populate Azure AD licensing groups.
Note: this plan will require Ken to develop code, similar to that for AAD licensing groups, that talks to the Graph API.
Some contingencies that may play out in the future:
If Microsoft lowers the Azure Connect 50K limit, we scramble a bit.
If any of the groups above show trends of exceeding 50K members in TBD 3-6 months, we transition to an alternate design; e.g. an integration architecture that syncs data from the groups service to AAD through the Graph API (or similar other MS API fit for purpose). Note: the purpose of this current wiki page isn't to explore and describe pros and cons of alternate integration architectures between groups and AAD. We know that can be documented elsewhere.
TBD. Other contingencies can be added here, as needed and if useful.
We need to get authorization to integrate the group membership data into the new target systems (e.g. AD, AAD, Exchange) and therefore disclose data to new data viewers.