Department Web Hosting SLA

Viewing 21 reply threads
  • Author
    Posts
    • #58
      nssabol
      Keymaster

      Department Web Hosting SLA. Latest version: 2.0 (Feb 12, 2016)

       

      *** Change log is attached.
      *** Feedback that were not reviewed in time before the submission on 02/15/2016 will be reviewed at the next undetermined revision period.

      • This topic was modified 8 years, 3 months ago by tbui.
    • #84
      erooney
      Participant

      2.1:
      HTTPS should be a standard by which ALL UNM content is served. The service should include HTTPS by default.

      2.1.1 bullet 2:
      Ensuring that the hosted web sites are secure and updated is a shared responsibility with end users responsible for things like secure code and keeping WordPress installations up-to-date and web infrastructure security a responsibility of the hosting provider.

      2.2.2: The calculation for availability is vague. There should be specifics on the exact calculation used when determining availability.

      Are network outages or degradation, as an example, part of the service and accounted for in the calculation? Are those outages part of the web service or excluded from the calculation.

      Example:
      YEARLY UPTIME CALCULATION = [(hours service up) / ((365.25*24) – (hours down for scheduled updates and maintenance[1]) – (hours down for emergency security updates[2]))] * 100

      [1] Schedule updates and maintenance are posted at least 7 days prior to the update or occur during UNM IT’s scheduled maintenance windows described here: http://it.unm.edu/availability/index.html

      [2] Patches and updates that are flagged as “critical” or higher by the vendor may be installed outside of the scheduled maintenance windows.

      3.2 bullet 8: This provision risks deleting code or work product that a department may have on cPanel servers if their backup was performed prior to the cPanel snapshot reversion. A customer could be performing backups at reasonable intervals and still be harmed by this provision of the SLA. Will UNM IT notify users when a snapshot reversion will take place allowing users to make backups?

      3.3 bullet 5: A department could store or host sensitive info on a non-UNM IT hosted service through a UNM IT hosted web site that would violate the spirit of this item.

      I think that we are missing a bigger opportunity here where we could leverage enterprise web infrastructure, services and data (including existing institutional data assets) to allow departments to more securely collect and store sensitive information that may exist elsewhere on campus (Banner, ODS, etc.). It seems like a UNM enterprise service web service should strive to provide this environment where the end-goal is less duplication, better security, and a better understanding by the enterprise about where we are housing and storing, potentially, sensitive data.

      Thanks,

      Eugene

      • #111
        tbui
        Keymaster

        @ erooney:

        2.1:
        HTTPS should be a standard by which ALL UNM content is served. The service should include HTTPS by default.

        [DONE, v2.0] Agreed. This will be added to 2.1. I believe that the current cPanel architecture has this already.

        2.1.1 bullet 2:
        Ensuring that the hosted web sites are secure and updated is a shared responsibility with end users responsible for things like secure code and keeping WordPress installations up-to-date and web infrastructure security a responsibility of the hosting provider.

        [DONE, v2.0] Agreed. My proposed new language: “Ensure that hosted websites’ code, content, and installed web apps (such as WordPress) are secure and updated (compromised websites because of code, content, and/or installed web apps will be shut down at UNM IT’s discretion);”

        2.2.2: The calculation for availability is vague. There should be specifics on the exact calculation used when determining availability.

        Are network outages or degradation, as an example, part of the service and accounted for in the calculation? Are those outages part of the web service or excluded from the calculation.

        Example:
        YEARLY UPTIME CALCULATION = [(hours service up) / ((365.25*24) – (hours down for scheduled updates and maintenance[1]) – (hours down for emergency security updates[2]))] * 100

        [1] Schedule updates and maintenance are posted at least 7 days prior to the update or occur during UNM IT’s scheduled maintenance windows described here:http://it.unm.edu/availability/index.html

        [2] Patches and updates that are flagged as “critical” or higher by the vendor may be installed outside of the scheduled maintenance windows.

        I think you should join our Agreements (SLAs, Standards) Review Team at IT. I will bring this back to IT Agreements for review.

        3.2 bullet 8: This provision risks deleting code or work product that a department may have on cPanel servers if their backup was performed prior to the cPanel snapshot reversion. A customer could be performing backups at reasonable intervals and still be harmed by this provision of the SLA. Will UNM IT notify users when a snapshot reversion will take place allowing users to make backups?

        Agreed, but as a complete restore from a snapshot is only done as a last measure to restore service, I am not certain if informing Users of the restore would help Users to do backups if the service is unavailable.

        3.3 bullet 5: A department could store or host sensitive info on a non-UNM IT hosted service through a UNM IT hosted web site that would violate the spirit of this item.

        I think that we are missing a bigger opportunity here where we could leverage enterprise web infrastructure, services and data (including existing institutional data assets) to allow departments to more securely collect and store sensitive information that may exist elsewhere on campus (Banner, ODS, etc.). It seems like a UNM enterprise service web service should strive to provide this environment where the end-goal is less duplication, better security, and a better understanding by the enterprise about where we are housing and storing, potentially, sensitive data.

        Agreed. This is in planning – to make a more secure and restricted environment in which websites/web applications that touch sensitive data (such as Banner) can be hosted. This is a popular request, and IT will make reasonable efforts to accommodate this request.

        • This reply was modified 8 years, 3 months ago by tbui.
    • #87
      gfaustin
      Participant

      In reference to item 2.1.1, one of the bullet points references training. Now that cpanel is going into production soon, it would be beneficial to have an orientation session for all interested. I know not everyone goes to the information architects meeting but I know there are lot of website designer at UNM. So an orientation will create awareness and also some hands on practice on how use it.

      • #112
        tbui
        Keymaster

        @gfaustin

        In reference to item 2.1.1, one of the bullet points references training. Now that cpanel is going into production soon, it would be beneficial to have an orientation session for all interested. I know not everyone goes to the information architects meeting but I know there are lot of website designer at UNM. So an orientation will create awareness and also some hands on practice on how use it.

        [IN PROGRESS] Lovely idea! I will work with Cameron Goble and my folks to see if we can make it happen before or soon after go-live.

        • This reply was modified 8 years, 3 months ago by tbui.
    • #88
      gfaustin
      Participant

      A list of the Content Management Systems that would be hosted within cpanel would help. Maybe not in the SLA but could be added in the Web-hosting service catalog.

      • #113
        tbui
        Keymaster

        @gfaustin

        A list of the Content Management Systems that would be hosted within cpanel would help. Maybe not in the SLA but could be added in the Web-hosting service catalog.

        [IN PROGRESS] If by “Content Management Systems” you mean apps such as WordPress, Drupal, etc., then absolutely. We will add a list of Softaculous-enabled web apps on the siterequest.unm.edu.

        • This reply was modified 8 years, 3 months ago by tbui.
    • #90
      steely
      Participant

      Re: 2.1.2,  Bullet 4: I thought up to 1 GB of storage was available free of charge? 256 MB is significantly less. It would be very easy for even a minimal website to exceed this and incur a monthly charge for its department.

      • This reply was modified 8 years, 3 months ago by steely.
      • #114
        tbui
        Keymaster

        @steely

        Re: 2.1.2,  Bullet 4: I thought up to 1 GB of storage was available free of charge? 256 MB is significantly less. It would be very easy for even a minimal website to exceed this and incur a monthly charge for its department.

        Sshhh, you’re not supposed to tell everyone about this sweet deal that was only offered to you!

        On a more serious note, before the introduction of cPanel, departments were only allocated 50 MB initially on website request/creation with the option of requesting additional storage up to 1 GB for $0 cost. This was done this way because we wanted to avoid circumstances in which departments that only used 20-50 MB ending up with a whole 1 GB of much wasted storage – which can be provisioned elsewhere where the extra storage was needed.

        With the implementation of cPanel, the project team lobbied and was given the permission to raise the initial 50 MB storage allocation to 256 MB. The final cost model is not finalized yet (soon), but when it is, it will be available on our website and announced at the various IT/IA group meetings.

    • #92
      steely
      Participant

      Re: 2.1.1:
      Bullet 3: Does “Customer’s local IT support” refer to a UNM department’s own internal staff?
      Bullet 4: It seems to me that web hosting with UNM IT should include automatic nightly backups without a separate charge. The charge could come in at a restoration of a snapshot.

      Re: 3.2
      Bullet 2: Please provide a link to “Pricing  and Billing” in the SLA.

      Re: 8
      – Can web developers be notified of charges that will appear in the monthly bill detail in advance? (I understand that it is a department’s finance / admin personnel that can login to the IT Billing portal. Is that correct?)
      – Are all communications with UNM IT for questions / tech support to be billed at $75 / hour?

      • This reply was modified 8 years, 3 months ago by steely.
      • #115
        tbui
        Keymaster

        @ steely:

        Re: 2.1.1:
        Bullet 3: Does “Customer’s local IT support” refer to a UNM department’s own internal staff?
        Bullet 4: It seems to me that web hosting with UNM IT should include automatic nightly backups without a separate charge. The charge could come in at a restoration of a snapshot.

        Bullet 3: Yes. Example: a department’s admins that have access to use cPanel should consult with the department’s IT staff (can be primary admin or designated web developer, etc.) first before contacting IT as many problems are similar, repeated, and can be resolved much quicker locally. For departments without local IT staff, admins that have access to use cPanel should reach out to UNM IT directly.

        Bullet 4: In other words, you suggest that UNM IT should hold your data hostage, and then ask you for a fee to restore it? I like it. I will bring this idea back for review.

        Re: 3.2
        Bullet 2: Please provide a link to “Pricing  and Billing” in the SLA.

        I am not sure what you meant by this as “Pricing and Billing” is under section 8. And bullet 2 discusses analytics.

        Re: 8
        – Can web developers be notified of charges that will appear in the monthly bill detail in advance? (I understand that it is a department’s finance / admin personnel that can login to the IT Billing portal. Is that correct?)
        – Are all communications with UNM IT for questions / tech support to be billed at $75 / hour?

        – I do not know if it is possible to leverage cPanel’s view to let you see your charges. I will look into this.

        – Yes, all communications with UNM IT for questions/tech support are billed at $75/hour. In fact, you will receive a bill tomorrow for the 2 hours I am spending writing my replies here… On a more serious note, communication with UNM IT for questions/tech support are not billed (to my knowledge). This provision refers to where “professional service” work is done. Example of professional services: web development (code writing), web support (making sure your WordPress is updated for you), etc.

        • #135
          steely
          Participant

          re: 2.11 bullet 4:
          You are way too clever for me by far, Tuan! That is not what I meant to suggest at all. But that’s what I said, isn’t it. Just reading this made my anxiety level shoot through the roof. I have had a couple instances of snapshot restoration that saved my skin and I was in panic mode already. Please do not add to my nervous state.

          • #201
            tbui
            Keymaster

            @ steely:

            re: 2.11 bullet 4:
            You are way too clever for me by far, Tuan! That is not what I meant to suggest at all. But that’s what I said, isn’t it. Just reading this made my anxiety level shoot through the roof. I have had a couple instances of snapshot restoration that saved my skin and I was in panic mode already. Please do not add to my nervous state.

            [IN PROGRESS] The comment about the hostage situation was really a joke. =) I will look at options to do this effectively and make a proposal for internal approval. I will let you know.

        • #138
          steely
          Participant

          Re: 8:
          And your time is well worth it! This is a very constructive discussion. Thanks for the clear explanations, and thanks as well for all of your efforts implementing good practices and technology at UNM IT.

          • This reply was modified 8 years, 3 months ago by steely.
        • #148
          steely
          Participant

          Re: 8:
          you replied,
          “…communication with UNM IT for questions/tech support are not billed (to my knowledge). This provision refers to where “professional service” work is done. Example of professional services: web development (code writing), web support (making sure your WordPress is updated for you), etc.”

          I think it would be good to spell this out in the SLA — the difference between professional services by IT and communication with IT. I’ve benefited greatly from being able to communicate with IT staff, even to learn a correct procedure, and was afraid this SLA meant that was now to incur a charge.

          I think it would be best to notify a user before charges are incurred.

          • This reply was modified 8 years, 3 months ago by steely.
    • #101
      aballo
      Participant

      1 – “Department Admins” is not mentioned elsewhere in the document.

      2.1.2 – Costs:

      This points to Service Catalog for “Department Web Hosting” – but costs are not mentioned?

      https://it.unm.edu/servicecatalog/asset_list.php?type=2&a_id=189 ?

      However, in 8 – Additional storage references “Virtual Infrastructure Services” where is this listed like this in the Service Catalog?  Is it the same as “Virtual Servers LoboCloud” ?

      3.1 – Service Manager should ensure that this service is meeting the Customer’s needs.

      5.2 Service Request Response:

      * When requests fall outside of this range, what is the remedy for the Customer? Is it “contact the Service Owner” like in 4.3 (Escalation)

      * What visibility does the Customer have when there is a breach in the Acknowledgement timeline of a ticket?

      * “Campus Priorities” could be defined? What times of year specifically?

      6.1 – Incident Reports:

      Where is the hourly rate and what items constitute associated expenses and materials defined in section 6 ?

      7 – Maintenance

      Maintenance windows should be defined in SLA. Maintenance performed outside of these agreed upon times should be communicated with the Customer in advance and if would cause significant negative impact , require their approval.

      9.1 – Availability Reporting

      Is this the Customer’s responsibility?  Why can’t sites be monitored by the Service Provider? Should this be part of the recommended enterprise services?

      9.2 – SLA Reviews

      Needs to state “Yearly” – with the Customer.

      • This reply was modified 8 years, 3 months ago by aballo.
      • #116
        tbui
        Keymaster

        @ aballo:

        1 – “Department Admins” is not mentioned elsewhere in the document.

        Good catch. This refers to “Web Admins and Developers” under 2.1.1

        2.1.2 – Costs:

        This points to Service Catalog for “Department Web Hosting” – but costs are not mentioned?

        https://it.unm.edu/servicecatalog/asset_list.php?type=2&a_id=189 ?

        However, in 8 – Additional storage references “Virtual Infrastructure Services” where is this listed like this in the Service Catalog?  Is it the same as “Virtual Servers LoboCloud” ?

        Guilty as charged. We are also making updates to our services in our Service Catalog as we work on these SLAs. They will be updated.

        3.1 – Service Manager should ensure that this service is meeting the Customer’s needs.

        Yes.

        5.2 Service Request Response:

        * When requests fall outside of this range, what is the remedy for the Customer? Is it “contact the Service Owner” like in 4.3 (Escalation)

        * What visibility does the Customer have when there is a breach in the Acknowledgement timeline of a ticket?

        * “Campus Priorities” could be defined? What times of year specifically?

        – Could you provide examples of requests that fall outside of this range? Requests are different than incidents.

        – The only visibility mean that I am aware of today is to contact IT CSS. This is really good feedback, I will bring it back for review.

        – I will also bring this back for clarification.

        6.1 – Incident Reports:

        Where is the hourly rate and what items constitute associated expenses and materials defined in section 6 ?

        I believe this refers to different hourly rates based on the services consumed. I will bring this back for review and clarification.

        7 – Maintenance

        Maintenance windows should be defined in SLA. Maintenance performed outside of these agreed upon times should be communicated with the Customer in advance and if would cause significant negative impact , require their approval.

        Could you provide reasons for your proposal to have the maintenance windows defined in the SLA as opposed to via a link provided today?

        Agreed on the second part – that is how we operate today.

        9.1 – Availability Reporting

        Is this the Customer’s responsibility?  Why can’t sites be monitored by the Service Provider? Should this be part of the recommended enterprise services?

        Yes, it is currently the Customer’s responsibility. Sites can be monitored by the Service Provider, but we do not have that monitoring service available yet. In my opinion, this absolutely should be a part of the recommended enterprise services.

        9.2 – SLA Reviews

        Needs to state “Yearly” – with the Customer.

        Agreed. This will be included as part of the yearly service subscription renewal that Customer and UNM IT do.

        • #131
          ayoder
          Participant

          @tbui

          The Department Web Hosting page has a pricing section but not “additional storage options and costs”

          “Pricing

          • 256 MBs (Default) – Free
          • More than 256 MBs – Please contact IT at Help.UNM (http://help.unm.edu) for specific costs”

           

          Charges associated with services originating from an Enterprise SLA should be in one spot. “Go to service catalog” “Contact IT”

          There is nothing that talks about the estimated business impact ($$$) caused by a loss of the service. If students are unable to fill out documents for their financial aid or apply to UNM there is potential impact for the University.

           

          The maintenance windows need to be defined in the SLA so they are agreed upon between Customer (University of New Mexico) and the service provider. A new SLA should have to be signed if the service provider wishes to change the planned maintenance window to make sure the new time meets the requirements of the business. “UNM IT reserves the right to modify the maintenance window” should be removed. If the window needs to be modified, a new SLA needs to be generated, approved, and signed.

           

          3.3 UNM IT Strategic Advisory Committee gets no mention as they do in other SLAs for Customer Responsibilities In Support of the Service

           

          5.2 “Campus priorities may require exceptions during certain times of the Academic year”

          Certain times needs to translate into actual times. For example, during the first week of the fall/spring semester and the week prior. Customer (University of New Mexico) needs to accept these exceptions and make sure they meet the requirements of the business.

           

          Thank you Tuan for responding to all our feedback! 🙂

          • This reply was modified 8 years, 3 months ago by ayoder.
    • #105
      ccovey01
      Participant

      2.1 need link to backup and restore costs
      3.2 – In the case of student organizations, is their local department responsible for their training?
      3.2 bullet 9 – local department cannot be held financially responsible for any Web Hosting arrangement that a student organization initiated and maintains

      • thus need to make distinction between personal/affiliated Web Hosting and true department hosting

      3.3 suggest requirement for use of functional email address, or secondary FTE contact to ensure the site is not deleted if say the primary contact graduates or separates from UNM

      • This reply was modified 8 years, 3 months ago by ccovey01.
      • #117
        tbui
        Keymaster

        @ ccovey01:

        2.1 need link to backup and restore costs

        I am not sure what “backup and restore costs” that is being referred to here is. Are you referring to the costs for UNM IT to assist with individual department’s backup and restore? If yes, then this is under Pricing and Billing – specifically under support coverage. If not, please elaborate.


        3.2 – In the case of student organizations, is their local department responsible for their training?

        If the student organizations go through their local departments to request this service, then yes. Reading jcapps’s feedback below this, I am thinking that a separate hosting service for official groups (non-department sponsored) is needed. I will bring this back for further discussion.


        3.2 bullet 9 – local department cannot be held financially responsible for any Web Hosting arrangement that a student organization initiated and maintains

        • thus need to make distinction between personal/affiliated Web Hosting and true department hosting

        Good feedback. See answer above. I will bring this back for review.

        3.3 suggest requirement for use of functional email address, or secondary FTE contact to ensure the site is not deleted if say the primary contact graduates or separates from UNM

        Amazing feedback. I will bring this back for consideration.

        • This reply was modified 8 years, 3 months ago by tbui.
    • #109
      jcapps
      Participant

      2.1.1 Is the local IT responsible for training of student run sites such as student organizations? The School of Law has 24 student organizations as well as 3 student run journals.

      3.3 Is there are warning when customer is about to exceed default allocations?

      • #119
        tbui
        Keymaster

        @ jcapps:

        2.1.1 Is the local IT responsible for training of student run sites such as student organizations? The School of Law has 24 student organizations as well as 3 student run journals.

        If the student organizations go through their local departments to request this service, then yes. I will bring this back for consideration of setting up a separate hosting service for official groups that are not sponsored by departments.

        3.3 Is there are warning when customer is about to exceed default allocations?

        I believe this (notification as quota is getting close to limit) is a setting in cPanel. I will double check.

    • #110
      gogogo
      Participant

      2.1.1 – First bullet – Provide a link to UCAM’s standards, please.

      2.1.1 – Third bullet – This is a vague. What level of expertise is expected of ‘local IT support’? Can we expect that tickets opened at IT by departmental users will be tossed back to the departmental IT if central IT deems them to be too basic?

      2.1.1 – Fourth bullet – Back up and recovery should be part of the basic service.

      2.1.1 – Include titles of policies, please (not just the numbers).
      – Link to 2500 is broken
      – The inclusion of Policy 7215 seems to indicate that payments can be managed on the department websites server. What, if anything, is IT doing to support that feature? Is accepting CC payments something that can be set up in CPanel? Or is that handled by a separate web server (or other software) tuned for that purpose?

      2.1.2 – First bullet. I’m unclear about the purpose of this item. It doesn’t list things like Java applets, XML, JSON, REST services, SOAP services, AJAX services. It seems like things like that should be included in the list? Or is it a list of back-end technologies? But then why does it mention HTML, CSS and JavaScript? If I am serving XML, for example, does that mean that I’m in violation of the SLA?

      3.2 – 9th bullet (Bring to the Customers’ attention…)
      This seems somewhat arbitrary to me. How is Customer fault determined, and how are IT fixes vetted by Customers? How do Customers report problems that arise due to IT activities (config changes, software (OS, php, database) updates)?

      6.1 – Again, how is the determination that something was caused by a Customer made? What recourse does a Customer have to refute such claims? For example what if a site was extremely popular and began to utilize enough resources that it affected other sites? Would that be construed as being the Customer’s fault and the site would then be shut down? While I understand that P1 events need to be dealt with ASAP, there should be a way for Clients to arbitrate, especially if fault is going to be assigned by IT.

      9.2 – What’s the mechanism for gathering feedback and input from stakeholders?

      Suggestions:
      IT should probably offer specifics on what’s enabled (or disabled) in php.conf, mysql.conf (or equivalent), and httpd.conf. I don’t believe that there are security issues with revealing details like that, but such things could very well determine whether a Customer can actually utilize the service for some specific application. In addition, such details will make it easier to create local development environments that are similar to IT’s.

      IT should provide a generalized outage page so that scheduled and unscheduled (if possible) maintenance doesn’t result in users getting no response at all. So, all traffic to the departmental web server(s) should be shunted to a page indicating that scheduled maintenance is occurring, if possible, while the service is down.

      Thanks!
      Greg

      • #120
        tbui
        Keymaster

        @ gogogo:

        2.1.1 – First bullet – Provide a link to UCAM’s standards, please.

        Ok.

        2.1.1 – Third bullet – This is a vague. What level of expertise is expected of ‘local IT support’? Can we expect that tickets opened at IT by departmental users will be tossed back to the departmental IT if central IT deems them to be too basic?

        We expect that departments’ local IT can provide “reasonable” first triage. The idea behind having departments’ local IT providing initial triage support is to help with turn-around time as many problems are similar, repeated, and can be resolved much quicker locally. This is not meant to “punish” departments’ local IT. And no, UNM IT will not toss tickets back to local IT – we might forward them all to gogogo@unm.edu though.

        2.1.1 – Fourth bullet – Back up and recovery should be part of the basic service.

        I will bring this back for review and consideration.

        2.1.1 – Include titles of policies, please (not just the numbers).
        – Link to 2500 is broken
        – The inclusion of Policy 7215 seems to indicate that payments can be managed on the department websites server. What, if anything, is IT doing to support that feature? Is accepting CC payments something that can be set up in CPanel? Or is that handled by a separate web server (or other software) tuned for that purpose?

        – I think there was a reason why the titles were left out. I’ll double check. If there wasn’t a reason, I’ll make sure the titles are added in.

        – Link will be fixed, thanks for finding this.

        – Good point. I will bring this back for review.

        2.1.2 – First bullet. I’m unclear about the purpose of this item. It doesn’t list things like Java applets, XML, JSON, REST services, SOAP services, AJAX services. It seems like things like that should be included in the list? Or is it a list of back-end technologies? But then why does it mention HTML, CSS and JavaScript? If I am serving XML, for example, does that mean that I’m in violation of the SLA?

        – Your guess was right: limited by back-end technology. HTML, CSS, and JavaScript will be removed.

        3.2 – 9th bullet (Bring to the Customers’ attention…)
        This seems somewhat arbitrary to me. How is Customer fault determined, and how are IT fixes vetted by Customers? How do Customers report problems that arise due to IT activities (config changes, software (OS, php, database) updates)?

        I propose to change this to: “Bring to the Customers’ attention any situation in which extra time is required of UNM IT staff to support this service. With Customers’ approval and request, UNM IT staff will engage in the agreed upon support activities. In these situations, UNM IT reserves the right to bill at the professional service rate outlined under Pricing and Billing for these activities.” Thoughts?

        6.1 – Again, how is the determination that something was caused by a Customer made? What recourse does a Customer have to refute such claims? For example what if a site was extremely popular and began to utilize enough resources that it affected other sites? Would that be construed as being the Customer’s fault and the site would then be shut down? While I understand that P1 events need to be dealt with ASAP, there should be a way for Clients to arbitrate, especially if fault is going to be assigned by IT.

        Good point on arbitration. I will bring this back for clarification.

        9.2 – What’s the mechanism for gathering feedback and input from stakeholders?

        This SLA is reviewed with departments annually via email when departments sign up for service subscription renewal.

        Suggestions:
        IT should probably offer specifics on what’s enabled (or disabled) in php.conf, mysql.conf (or equivalent), and httpd.conf. I don’t believe that there are security issues with revealing details like that, but such things could very well determine whether a Customer can actually utilize the service for some specific application. In addition, such details will make it easier to create local development environments that are similar to IT’s.

        I will bring this back for review by Security. If approved, yup.

        IT should provide a generalized outage page so that scheduled and unscheduled (if possible) maintenance doesn’t result in users getting no response at all. So, all traffic to the departmental web server(s) should be shunted to a page indicating that scheduled maintenance is occurring, if possible, while the service is down.

        Oh, you mean a customized 404 or 503 page for maintenance/non-maintenance outages. Great idea. I will bring this back for review.

        Edit: What about this page? http://mysos.unm.edu/

        • This reply was modified 8 years, 3 months ago by tbui.
        • #174
          gogogo
          Participant

          Hi, Tuan:

          Regarding Departmental IT Support, Central IT Support and triage, it might be a good idea to define (perhaps in a different SLA) what is expected of each? This seems like a good way to collaborate and to help establish bridges between IT and departments. For example, if a user called the help desk with a support request, they could ask if they had tried their local support options. If the answer is ‘yes’ then the technician who gets the ticket can assume that certain preliminaries have already been attempted, or at the very least, that the Departmental IT support can provide technical background about the problem.

          Regarding this:
          I propose to change this to: “Bring to the Customers’ attention any situation in which extra time is required of UNM IT staff to support this service. With Customers’ approval and request, UNM IT staff will engage in the agreed upon support activities. In these situations, UNM IT reserves the right to bill at the professional service rate outlined under Pricing and Billing for these activities.” Thoughts?

          This sounds reasonable, as long as you’re not painting yourself into a corner. Two scenarios come to mind:

          1. An active emergency requires that a site be shut down immediately; IT should have the option of doing that if the the emergency warrants it.
          2. Cases where departmental contacts are non-responsive and IT must take action to prevent or stop problems.

          In these cases like these, IT should be able to simply shut a site down quickly (and probably non-billable-ly), and sort things out later with the Customer.

          http://mysos.unm.edu/ seems like a good idea. As long as it’s not on dept2.unm.edu and dept2.unm.edu is down.

          I think I got everything; the rest seems fine.

          Thanks so much!

          Greg

          • #559
            tbui
            Keymaster

            Hi Greg,

            Regarding Departmental IT Support, Central IT Support and triage, it might be a good idea to define (perhaps in a different SLA) what is expected of each? This seems like a good way to collaborate and to help establish bridges between IT and departments. For example, if a user called the help desk with a support request, they could ask if they had tried their local support options. If the answer is ‘yes’ then the technician who gets the ticket can assume that certain preliminaries have already been attempted, or at the very least, that the Departmental IT support can provide technical background about the problem.
            [IN PROGRESS] One idea that was proposed in a different SLA discussion was to have an OLA for the local IT departmental units. As the introduction of this OLA is going to change the dynamic of how UNM IT has been working with departments. I am going to bring this back for feedback.

            Regarding this:
            I propose to change this to: “Bring to the Customers’ attention any situation in which extra time is required of UNM IT staff to support this service. With Customers’ approval and request, UNM IT staff will engage in the agreed upon support activities. In these situations, UNM IT reserves the right to bill at the professional service rate outlined under Pricing and Billing for these activities.” Thoughts?

            This sounds reasonable, as long as you’re not painting yourself into a corner. Two scenarios come to mind:
            An active emergency requires that a site be shut down immediately; IT should have the option of doing that if the the emergency warrants it.

            Cases where departmental contacts are non-responsive and IT must take action to prevent or stop problems.
            In these cases like these, IT should be able to simply shut a site down quickly (and probably non-billable-ly), and sort things out later with the Customer.
            As an update, the current template language that our Agreements Committed agreed to: “Upon notification, UNM IT reserves the right to bill, at our standard hourly rate or expedited service rate, for any avoidable situations in which extra time is being required of UNM IT staff.”

            http://mysos.unm.edu/ seems like a good idea. As long as it’s not on dept2.unm.edu and dept2.unm.edu is down.
            [IN PROGRESS] It’s going to be on a different server than the downed websites/apps. We use the F5 to to check and redirect.

    • #128
      susier
      Participant
      • Recommend replacing “Department” with the more general “academic unit” throughout.
      • $75/hour charge should be a link to a separate schedule that will be updated periodically, rather than being hardwired into the SLA.
      • #165
        mdcarter
        Participant

        Using the phrase “academic unit” is actually more limiting in my opinion.  There are many “administrative units” and “student organizations” that use this service as well. An alternative phrase that can encompass the different campus groups might be more appropriate.

        I think a definition of terms should appear at the top of the document that would define such phrases used throughout the SLA document. For example, “User” could be interpreted as the User of the service or the visitor to a website. It is sort of defined in the General Overview so that may not be the best example.

         

         

         

         

        • #561
          tbui
          Keymaster

          @mdcarter:
          I think a definition of terms should appear at the top of the document that would define such phrases used throughout the SLA document. For example, “User” could be interpreted as the User of the service or the visitor to a website. It is sort of defined in the General Overview so that may not be the best example.
          [IN PROGRESS] I could not agree more. In the “Mobile App Distribution SLA,” the definition for “End Users” was spelled out under the “End Users Responsibilities” section. I’m going to sneak the language in and bring this to Agreements next time for review.

      • #560
        tbui
        Keymaster

        @susier:
        Recommend replacing “Department” with the more general “academic unit” throughout.
        We do intend to provide this service to all departments and not just academic units.

        $75/hour charge should be a link to a separate schedule that will be updated periodically, rather than being hardwired into the SLA.
        [IN PROGRESS] Our Agreements made the same feedback – referencing the Service Catalog page. This will be changed.

    • #136
      vnarducc
      Participant

      I would only like to echo the concerns that @steely brought up about nightly snapshot backups and restorations, as I too have found myself in a spot where the hosts ability to do this has saved me from a total disaster.

      Obviously regular local backups are extremely important for us to execute, but I apologize that I am still somewhat confused… So IT will perform a backup/restore service but this is an additional cost on a yearly basis? Or this is an additional cost on an hourly basis?

      In my experience, the need for this kind of restore is basically the very last resort and failsafe and is only used in a catastrophe (i.e. hacking).

      Thanks to everyone who commented on many of the additional items too.

    • #139
      elisha
      Participant

      This is a general question related to all of the SLAs, but I’m especially interested in the answer as it pertains to this one. The KSA report defined “Enterprise” as something that is “Exclusively offered by a Central Entity.” Does adoption of this SLA, then, force adoption of Central IT hosting for all websites, or is this SLA an attempt to describe a service that is currently offered as an option for departments? Some definition of that in the scope would be helpful.

      Under Metrics & Logs, I am not familiar enough with C-Panel to know specifically what they are referring to, although I can guess. It does raise the question, though should the SLA be describing features of the product (help documentation) or should it be more focused on what services are being provided and what level of service users should expect?

      Under the section UNM IT provides:

      I would specify that “<span style=”line-height: 1.5;”>Support services via UNM IT Service Desk” are limited to support of this as a service, and not applicable to support for end users of the department’s web sites or services, unless the intention is to triage those at the support desk.</span>

      Is any level of “systems operations” a shared responsibility? What are the limitations of access and configuration available to end users?

      Can we get more definition on “<span style=”line-height: 1.5;”>Basic system level backup processes and disaster recovery;” Does this include off site backups? With what frequency? How is Disaster recovery handled? Are on-demand snapshots possible?</span>

      How are notifications handled for up/down monitoring?

      2.1.1 – If a department does not want to adhere to the bullets listed (I don’t recommend it, but it happens), they should use a different service? I know this isn’t the intention of this SLA, but it seems like it would be more universally beneficial to have a collaborative group define what the branding, security, documentation, administration, etc. standard are for departments supporting web sites and services.

      Is there a way for departmental admins to perform ad hoc snapshots and restores of their systems? This has been critical for some of our web applications.

      Is there an effort to create web standards for anything other than the PHP/MySQL? If the intention is to move websites to an exclusive service, limiting the boundary to PHP/MySQL may just create incentives for people to use Ruby or ASP or something else.

      24 hour notice of suspension of service is very short. I know there are emergencies, but the provision just says failure to comply with the agreement, which could mean anything from an egregious failure to a website using more than the allowable storage. It would be good to see something that outlined the levels of infraction and escalation response.

       

      2.2.1 – can we be more specific than “a few days”?

      3.2 – if the service features are documented in the service catalog, what are the terms for updating the service features and catalog under the SLA? Should the SLA be product specific to cPanel and Softaculous, or more descriptive of the services those programs provide?

      Under “<span style=”line-height: 1.5;”>Bring to the Customers’ attention any situation in which extra time is required of UNM IT” what are the correlated responsibilities of IT when extra time is required due to lack of Central IT staff planning, knowledge, or implementation practices? How is fault determined? What happens when it is shared?</span>

      4.3 Escalation – What recourses are available to the customer beyond contacting the service owner?

      7 – How are changes to the maintenance window negotiated with customers?

      Thanks, Tuan. Please don’t take any of these comments to be dismissive of the work that has already gone into this document. It just seems to me that an SLA should include more definition, especially if we are heading toward exclusive provision of services.

      • #562
        darruti
        Participant

        Hi Elisha.  I’ll attempt to respond to a couple of your comments:

        “This is a general question related to all of the SLAs, but I’m especially interested in the answer as it pertains to this one. The KSA report defined “Enterprise” as something that is “Exclusively offered by a Central Entity.” Does adoption of this SLA, then, force adoption of Central IT hosting for all websites, or is this SLA an attempt to describe a service that is currently offered as an option for departments? Some definition of that in the scope would be helpful. ”

        UNM IT intends to complete SLAs for all of our services whether enterprise or supplemental so that users can better understand the service we are offering.  Per the President’s timeline, our immediate focus is on enterprise SLAs identified through the KSA review (and that is the nature of your question).  As of this moment there has not been a directive to exclusively use those services classified by KSA as enterprise, whether provided by IT or another unit.   We have only been asked to document the service and collect and incorporate feedback for review by executive leadership.  Any steps beyond that are to be determined.  Certainly the articulation of  the service and input from the community will better inform any next steps.    

        “4.3 Escalation – What recourses are available to the customer beyond contacting the service owner?”

        We will work on the language in this section to better articulate.  Thanks.

        Tuan will follow up on other open items.

    • #149
      ccovey01
      Participant

      Tuan,

      My thanks as well for taking the time to reply to all of these responses, in detail, and for being receptive to the suggestions made – Chad

      • #241
        tbui
        Keymaster

        My thanks as well for taking the time to reply to all of these responses, in detail, and for being receptive to the suggestions made – Chad
        Chad, thanks for the kind words! All of us here at IT realized very quickly how amazing discuss.unm.edu was soon after it went live as it allowed us to received feedback like yours and others.

        With regard to your praise for “being receptive,” just wait until you see me put my foot down.

    • #161
      mdcarter
      Participant

      My assumption based both on discussions and this SLA is that the goal is to move all sites currently hosted on IT’s departmental web servers to the cPanel servers.  My question is related to the 256mb space limit provided, somewhat mirroring Sharon’s comments above.

      1.  Has an audit been conducted looking at the size/quota of websites currently hosted on the Departmental web servers?  I know of and work with many departments that have quotas well over the 256 amount.  I would be curious to know the ranges and averages (mean , median and mode).

      2.  The idea of cPanel is great in terms of easily managing multiple sites under a single account.  For example, we currently host 30+ sites in a single NetID account.  That account has a significant quota.  I feel the limiting of disk space per account will encourage users to simply create a new NetID when space is an issue and they have multiple sites.  This creates more NetID and cPanels account that need to be managed on the IT side of things. However, I would prefer to manage everything in one account.

      • #243
        tbui
        Keymaster

        My assumption based both on discussions and this SLA is that the goal is to move all sites currently hosted on IT’s departmental web servers to the cPanel servers.  My question is related to the 256mb space limit provided, somewhat mirroring Sharon’s comments above.

        1.  Has an audit been conducted looking at the size/quota of websites currently hosted on the Departmental web servers?  I know of and work with many departments that have quotas well over the 256 amount.  I would be curious to know the ranges and averages (mean , median and mode).
        We have not done an official audit, but we do collect that metric on websites.unm.edu (this website has restricted access) – big thanks to Farid Hamjavar at IT for maintaining it. It lists all 900+ websites on Dept2, and their quotas and usages. I can provide mean/median/etc. at a later date.

        2.  The idea of cPanel is great in terms of easily managing multiple sites under a single account.  For example, we currently host 30+ sites in a single NetID account.  That account has a significant quota.  I feel the limiting of disk space per account will encourage users to simply create a new NetID when space is an issue and they have multiple sites.  This creates more NetID and cPanels account that need to be managed on the IT side of things. However, I would prefer to manage everything in one account.
        (IN PROGRESS) Agreed to both points. Though, I do not have a good answer at this point due to the model in which cPanel is designed with. I will bring back to the implementation team for feedback.

    • #163
      mdcarter
      Participant

      The phrasing of the second bullet in 3.2 seems misleading to me:

      “<span style=”line-height: 1.5;”>Track websites’ and visitors’ activity and provide Users with access to this data;”</span>

      I assume what you are saying here is the IT will maintain web server access logs.  Tracking visitor’s activity could mean something much more “NSA” to some reading it.

       

      • #242
        tbui
        Keymaster

        The phrasing of the second bullet in 3.2 seems misleading to me:
        “Track websites’ and visitors’ activity and provide Users with access to this data;”

        I assume what you are saying here is the IT will maintain web server access logs.  Tracking visitor’s activity could mean something much more “NSA” to some reading it.

        Good point. The tool is tracking stats similar to Google Analytics. Perhaps a better wording would be: “Track visitors’ pageviews, sessions, and visits using system logs, and provide Users with this data.” The pageviews, etc. were examples as cPanel uses different terms than Google Analytics.

    • #166
      mdcarter
      Participant

      Policy 2570 should be referenced somehwere in the SLA.
      Policy 2570: Official University Webpages –
      https://policy.unm.edu/university-policies/2000/2570.html

       

      • This reply was modified 8 years, 3 months ago by mdcarter.
      • #237
        tbui
        Keymaster

        Policy 2570 should be referenced somehwere in the SLA.
        Policy 2570: Official University Webpages –
        https://policy.unm.edu/university-policies/2000/2570.html
        Agreed. I think this should be included under Web Admins/Developers Responsibilities per policy’s:
        “Staff, faculty, students, and contractors authorized to develop official webpages for any administrative or academic unit of the University, including webpages of the Health Sciences Center and branch campuses, should comply with the requirements of this policy.”

    • #172
      erooney
      Participant

      This draft of the SLA states that departmental/local IT will be the first line of support. Will there be any Operating Level Agreements (OLAs) between the centralized provider and local IT to support the customer? If a customer is going to rely on this agreement, then the central provider and the departmental IT group need to be in sync in terms of support. How will this agreement be structured for customers without departmental IT expertise for this service?

      This also applies to other centrally provided services where the centralized provider’s SLA relies on departmental IT for any kind of triage or support. There needs to be an OLA in place defining how these groups work together in support of the SLA.

      • This reply was modified 8 years, 3 months ago by tbui.
      • #232
        tbui
        Keymaster

        @ erooney:
        This draft of the SLA states that departmental/local IT will be the first line of support. Will there be any Operating Level Agreements (OLAs) between the centralized provider and local IT to support the customer? If a customer is going to rely on this agreement, then the central provider and the departmental IT group need to be in sync in terms of support. How will this agreement be structured for customers without departmental IT expertise for this service?
        (IN PROGRESS) Having OLAs in place between central IT support and departmental IT local support is a great idea. I’m not sure if we are there yet though. I will bring this question up at this Friday IT Agreements meeting for feedback.
        For departments without departmental IT expertise for this service, IT would provide support directly.

        • This reply was modified 8 years, 3 months ago by tbui.
    • #183
      gogogo
      Participant

      Oops, one more thing. I hope it’s not too late!

      Currently, I believe that IT has Zend_Framework code stored in a centralized location so that users don’t have to consume quota for that. It would be great if that service was mentioned in the SLA.

      For completeness’ sake I would suggest something like this (using semi-fictitious versions):

      • /path/to/zend/1/
        • 1.12.13/
        • 1.12.14/
        • 1.12.15/
        • etc.
      • /path/to/zend/2/
        • 2.4.7
        • 2.4.8
        • 2.4.9
        • etc.

      In other words, keeping past versions as well as the latest versions.
      These don’t have to be full packages, but just the basic deployment code.

      In addition, it might be useful to have something like /path/to/zend/1/latest that’s a symlink that always points to the latest version, whatever that is. So, in for the examples I gave above:

      • /path/to/zend/1/latest -> /path/to/zend/1.2.15
      • /path/to/zend/2/latest -> /path/to/zend/2.4.9

      Because both versions are fairly stable, developers don’t have to worry (much) if they use latest, and rely on IT to update the framework as needed. Having the ability to point to any version provides maximum flexibility, if needed.

      Please let me know if any of this is unclear.

      Thanks!

      Greg

       

      • #231
        tbui
        Keymaster

        @ gogogo:

        Currently, I believe that IT has Zend_Framework code stored in a centralized location so that users don’t have to consume quota for that. It would be great if that service was mentioned in the SLA.
        I like this idea, and I would like to explore expanding the language to state “shared libraries” instead of limiting it to just Zend. I will bring this back for review.

        In addition, it might be useful to have something like /path/to/zend/1/latest that’s a symlink that always points to the latest version, whatever that is. So, in for the examples I gave above:

        /path/to/zend/1/latest -> /path/to/zend/1.2.15
        /path/to/zend/2/latest -> /path/to/zend/2.4.9

        In your experience, is it possible to link to Zend via http? I’m thinking architecture-wise, for websites sitting on different cPanel boxes, it is better to have Zend hosted on a central box that websites on all of the other cPanel boxes can refer to without resorting to shared drives. If Zend can only be included locally as your example stated, then each cPanel box would have to have Zend on there somewhere.

    • #244
      gogogo
      Participant

      Tuan:

      Regarding other libraries: Indeed. I’m Zend-centric, but that’s by tradition. It might be worthwhile to consider PECL and PEAR, as well.

      Regarding using URLs for paths to the Zend library: this could be possible. php has the ability to read files from http URLs, but I don’t know if the autoloader code can deal with them. Zend_Framework (and all other php libraries that I know of) use a method of naming classes that will help an Autoloader to find and then include files. This emulates Java’s class loader but is much less formalized. So, for example, suppose that I evoke an object: $cool = new Zend_Cool_Class(). The Autoloader starts looking through the path variable for zend/cool/class.php, which must then contain a class Zend_Cool_Class(). Essentially, it’s replacing underscores with slashes with some rules to make it easier for developers.

      In addition, the framework allows users to create their own namespaces, for example ‘UNM_Extlearn_’, along with an optional path ‘users/el/Sites/application/modules/unm/extlearn/’. In that case if I evoke an object: $person = new UNM_Extlearn_Person(), then the framework’s Autoloader will know to look for the class code in ‘users/el/Sites/application/modules/unm/extlearn/Person.php’. The framework assumes a number of paths that are used by convention, and users are free to modify those (at their own risk) or add others. This functionality makes it easy to include other libraries, as well, and as you can see, since classes must be named correctly, namespacing is automatic.

      So, it’s a tangled web and elegant in its way. I would say the bottom line is that it’s probably best to use actual filesystem paths.

      Thanks,
      Greg

      • #558
        tbui
        Keymaster

        Hi Greg,

        Regarding other libraries: Indeed. I’m Zend-centric, but that’s by tradition. It might be worthwhile to consider PECL and PEAR, as well.

        Regarding using URLs for paths to the Zend library: this could be possible. php has the ability to read files from http URLs, but I don’t know if the autoloader code can deal with them. Zend_Framework (and all other php libraries that I know of) use a method of naming classes that will help an Autoloader to find and then include files. This emulates Java’s class loader but is much less formalized. So, for example, suppose that I evoke an object: $cool = new Zend_Cool_Class(). The Autoloader starts looking through the path variable for zend/cool/class.php, which must then contain a class Zend_Cool_Class(). Essentially, it’s replacing underscores with slashes with some rules to make it easier for developers.

        In addition, the framework allows users to create their own namespaces, for example ‘UNM_Extlearn_’, along with an optional path ‘users/el/Sites/application/modules/unm/extlearn/’. In that case if I evoke an object: $person = new UNM_Extlearn_Person(), then the framework’s Autoloader will know to look for the class code in ‘users/el/Sites/application/modules/unm/extlearn/Person.php’. The framework assumes a number of paths that are used by convention, and users are free to modify those (at their own risk) or add others. This functionality makes it easy to include other libraries, as well, and as you can see, since classes must be named correctly, namespacing is automatic.

        So, it’s a tangled web and elegant in its way. I would say the bottom line is that it’s probably best to use actual filesystem paths.

        I believe that this can be done, but it will be less elegant than what we had in the past. The Dept-Web environment uses NFS which allows our 6 web servers to share the same storage. The cPanel environment are siloed – i.e., websites are spread across multiple servers. As we are moving our systems to vCloud Air, shared storage is discouraged in new environments. One option that we can do to enable shared libraries across the websites is to have a local copy of the libraries on each cPanel server. There might be other more graceful solutions. I’ll bring the topic up for discussion at the next IA-meeting (March, 2016).

    • #245
      gogogo
      Participant

      Howdy:

      This is echoing Elisha’s comment: what’s the purpose of this SLA? Is it to:

      1. Define a Service that IT is offering and is optional for units to use?
      2. Define a Service that IT is offering and is required for units to use?

      This leads to some questions:

      If the IT service is optional, and units choose to use their own internal resources to provide the service for their own use, are they also required to abide by the SLA?

      If a unit chooses to partner with another unit to provide these services, will both units be required to implement and abide by the IT SLA?

      Thanks!
      Greg

      • #563
        darruti
        Participant

        Hi Greg.  Hopefully the response just posted to Elisha’s comment helps to clarify.  With regards to the follow on questions:

        “If the IT service is optional, and units choose to use their own internal resources to provide the service for their own use, are they also required to abide by the SLA?  If a unit chooses to partner with another unit to provide these services, will both units be required to implement and abide by the IT SLA?”  

        Much as we have been asked to work on SLAs for those services categorized by KSA as enterprise, we have also been asked to work on standards for those services categorized by KSA as supplemental.  The standards would be the relevant resource and guide for any unit providing a service in those supplemental areas.

        • This reply was modified 8 years, 2 months ago by darruti.
    • #248
      cdean
      Participant

      Echoing Elisha and Greg, I’m a little confused about the whole concept of the Enterprise services. Are these SLAs being written because there is a mandate that everything considered Enterprise must only be offered by Central IT or is there an exception process by which a unit/department can maintain their autonomy, perhaps by meeting a standard (which at this point, doesn’t exist)? When I look at the list of Recommended Enterprise Services (which I understand are now accepted/approved, not simply recommended) as documented in the Business Model memo dated 10/7/15 from the Main Campus IT Strategic Advisory Committee to the Main Campus IT Executive Governance Committee, I see 26 services, many of which could well have multiple sub-services, covering a multitude of areas. As an example, Individual Software Purchases, Mobile Device Management and Web Page Development are all listed. It’s hard for me to wrap my brain around these services being only offered via an Enterprise model. Can someone please clarify?

      Thanks,
      Cyndi Johnson

      • #249
        erooney
        Participant

        Along those same lines, are there any discussions about what the Enterprise service offerings should be rather than just wrapping an SLA around existing services that may or may not meet campus needs? There were a couple of responses that dismissed SLA feedback as “not an SLA question” (not in the Web Hosting SLA thread), but if there are gaps or fundamental problems with the service offering this is an opportune time to engage an already-engaged community.

Viewing 21 reply threads
  • The topic ‘Department Web Hosting SLA’ is closed to new replies.