Systems I've built and stewarded
A selection of the technical initiatives I've led or contributed to — at UVA and beyond.
ARMS & SARM — closing the IAM governance gap
A community proposal I've been developing for the higher-ed identity community (Internet2 / InCommon): an interoperability spec and reference implementation for the part of identity governance that the existing standards haven't reached.
The gap
SCIM standardized the edges of the identity lifecycle — provisioning and deprovisioning — but the governance middle has no shared standard or common platform. Attestation and recertification (a manager certifying their reports' access, a group owner validating members, a list owner confirming a list is still needed) shows up as a feature in many tools but as the focus of none. Every institution ends up rebuilding it from scratch, in slightly different ways, with no interoperability between them.
SARM — the specification
System for Attestation & Recertification Management. A draft interoperability spec, modeled on SCIM's approach. The long-game standards play — making it possible for governance tooling to interoperate the way provisioning tooling already does.
ARMS — the reference implementation
The open-source reference implementation that demonstrates SARM in practice. Includes a "protocol inspector" tool that lets any institution wire up their own data source and validate it against the spec. Concrete software, not just paper standards.
Core IAM work at UVA
The projects that keep authentication and authorization running reliably for tens of thousands of people at the University of Virginia.
NetBadge Modernization
UVA's primary authentication platform — the thing that validates every login across the university. This initiative modernized the platform's architecture, improved reliability and failover posture, and laid groundwork for a better developer and end-user experience. The challenge was doing this without ever dropping the ball for the people depending on it.
Identity Governance
Building the policy frameworks and technical controls that govern how identity data is managed, how access is provisioned and de-provisioned, and how the university maintains a clear picture of who has access to what. Governance is the unglamorous work that makes everything else trustworthy.
PAM Expansion
Extending privileged access management controls across the identity portfolio. Privileged access is where most serious breaches begin — bringing PAM controls to more of our infrastructure reduces that surface area and creates the kind of auditable, governed access patterns that security and compliance teams need.
Cloud & Infrastructure Migration
Modernizing how identity services run — moving from legacy on-premises deployment patterns toward cloud-aware infrastructure. The work involves careful migration strategy, maintaining continuity for production services, and taking advantage of modern deployment capabilities without disrupting what's working.
UVACollab — from re-architecture to a graceful sunset
Before moving fully into the identity portfolio, I led the technical organization behind UVACollab, UVA's primary collaboration and learning platform. The work spanned three threads: re-architecting how it ran, doing substantial application-level engineering in the Sakai codebase that powered it (most notably a complete rewrite of the search subsystem), and guiding the multi-year effort to retire it well.
Re-architecting the platform (2016)
One of my first projects after joining UVA in 2016 was to re-architect UVACollab's deployment and supporting infrastructure. The design I delivered was a 12-node Docker Swarm running on bare metal, spread across two Dell M1000e blade chassis in two physical data centers — giving UVACollab true site-level redundancy on infrastructure the team owned end-to-end.
That platform ran UVACollab continuously from 2016 until retirement. Across roughly seven years of production service, it only ever absorbed downtime that originated elsewhere — adjacent systems, networks, dependencies. The Swarm itself never crashed. For a homegrown bare-metal cluster carrying a university-wide platform, that's the outcome you hope for and rarely get.
Rewriting the search subsystem
One of the larger pieces of application-level engineering I did on UVACollab was a complete overhaul of its search subsystem. Sakai's search history has its own arc: originally Apache Lucene, then a move (upstream, by others) to Elasticsearch in an embedded pattern — ES running inside the Java application. When Elastic deprecated the embedded pattern, I led the work to shift UVACollab to external Elasticsearch, and used the opportunity to redesign the indexing approach entirely rather than just port the old one.
The new pipeline introduced multiple find-then-extract passes for content indexing, giving us much better fidelity over the kinds of content Sakai tools produce — assignments, forums, lessons, wikis, resources. On the query side, I wrote a custom Elasticsearch plugin in Java that, during aggregated queries, calls back into Sakai's authorization API to evaluate permission questions inline. The result: search results that respect Sakai's site- and tool-level access controls at the aggregation layer, with accurate counts and result sets, instead of the more common pattern of returning everything and post-filtering in the application.
Code lives at github.com/dnhutchins/es-plugin (the custom Elasticsearch plugin) and within the search module at dnhutchins/collab_work (the broader UVACollab fork — its top-level README is the upstream Sakai README and describes the earlier embedded approach, not this work).
The retirement project
UVACollab served the university community for years as a central collaboration platform. As newer services matured and the platform reached the end of its useful life, the work shifted from running it well to retiring it well — coordinating a multi-year migration of users to modern collaboration services, partnering with a steering committee across Grounds, and making sure that thousands of sites and the people behind them landed somewhere they could keep working without disruption.
Sunsetting a system used by an entire university is a different discipline from launching one. It demands patience, stakeholder communication, careful sequencing, and the kind of operational discipline that keeps a platform reliable through its final chapters. The project wrapped successfully — a quiet kind of accomplishment, which is usually the right kind for infrastructure work.
Building, then evolving, how we see production
The homegrown observability story has two acts and follows the same pattern UVA's infrastructure has across many of its services: build what you need when central services aren't on offer; consolidate onto enterprise platforms when they catch up.
Building agility when central services didn't yet exist
I first stood up Graylog and the TICK stack on the bare-metal UVACollab Docker Swarm in 2016 — there was no organizational option, and a platform of that scale needed real visibility. When I moved into Identity as Manager, I carried the same pattern over to the IAM infrastructure (this time running Docker in VMs from UVA's central VMware group rather than on bare metal). Same homegrown stack, adapted to the new environment, same reason: it was still the only way to get the observability we needed.
Centralized Log Aggregation (Graylog)
Graylog-based log aggregation across both UVACollab and later identity services, creating a single place to search, alert on, and understand what was happening across the distributed systems. It was the right tool for the moment — exceptional at giving the team the agility we needed.
Metrics & Dashboards (TICK Stack)
The TICK stack (Telegraf, InfluxDB, Chronograf, Kapacitor) for time-series metrics, alerting, and operational dashboards. The goal was always the same: catch problems before users did, and understand the systems well enough to make confident changes.
Knowing when to consolidate
During my time in the Manager role, UVA's central capabilities matured and other teams began offering log management and infrastructure monitoring as enterprise services. Maintaining a parallel internal stack was no longer the higher-leverage investment. I led the efforts and teams that migrated identity's observability workloads off of the homegrown Graylog and TICK platforms and onto Splunk and LogicMonitor.
Migration work like this is rarely glamorous and almost always undervalued. It means giving up tools you built and trust, re-establishing the operational muscle memory of an entire team on new platforms, and proving along the way that you can land a moving service on a different runway without dropping it. Done right, it leaves the organization with less fragmentation, more leverage from shared platforms, and a team that's just as confident in production as before.
Container infrastructure
Docker Swarm — bare metal, then VMs
Docker Swarm has been the consistent container substrate across both portfolios. On UVACollab, it ran on a 12-node bare-metal cluster across two Dell M1000e blade chassis in two data centers (see the UVACollab section for the full story of that platform). On Identity, the same orchestration pattern moved on top of VMs provided by UVA's central VMware group — letting the identity team focus on services rather than physical infrastructure while keeping the operational model the same.
Things I build on my own time
The experiments, hardware hacks, and side projects where curiosity drives the work and I get to choose the constraints.
Cubic Life
A 3D cellular automaton built in three.js — Conway's Game of Life extended into volumetric space. I find this kind of automata genuinely fascinating: a few simple rules running over a grid produce structures that feel alive. It's a subtle nudge that life itself might just be math at a sufficiently large scale.
cubiclife.fun →ETC Express Reverse Engineering
Reverse-engineering the control surface of a legacy ETC Express 24/48 lighting console and developing an interface to use it as a modern EOSNomad-compatible programming and fader wing. Where theater meets systems work — and where keeping old, well-built hardware useful is its own kind of reward.
View on GitHub →LED Wash Cube
A 5×5 RGB LED panel for webcam wash lighting. The kind of project where commercial options exist and I built one anyway — partly because I wanted it cheaper, mostly because I wanted to understand it.
View on GitHub →Local AI / LLM Experimentation
Running local language models at home — experimenting with inference, tool use, and exploring where these tools genuinely help versus where the hype outpaces the reality. Model on hardware I control, no telemetry, no rate limits, no external dependencies.