The eduPersonAffiliation and eduPersonPrimaryAffiliation person attributes provide data about how people are affiliated with Virginia Tech, but each is meant for a different audience. This paper will clarify what each attribute is meant to be used for, what their possible values are, and give some examples of when they might be used.
The eduPersonPrimaryAffiliation attribute is an attribute used to communicate, to other institutions, the most basic affiliation a person has with Virginia Tech. This attribute is used in conjunction with systems like Shibboleth1) to allow other universities to make authorization decisions about this person. This attribute should NEVER be used by internal Virginia Tech systems for purposes of authorization, it is strictly meant as an external, to VT, facing attribute.
|alum||This value is set for any person who is an alumnus of Virginia Tech.|
|student||This value is set for any person who is currently taking a class at Virginia Tech. If a student is not currently taking a class, for whatever reason (e.g. during the summer), they are not marked as a student in their primary affiliation|
|faculty||Any active, meaning not retired, faculty of Virginia Tech|
|staff||Any active, meaning not retired, staff of Virginia Tech|
|affiliate||A person who is temporarily associated with Virginia Tech such as extension personnel or ROTC officers.|
As mentioned above this attribute is not to be used by internal VT applications but is instead used when communicating with other universities. Here are a few examples of how it may be used.
The eduPersonAffiliation attribute gives all the affiliations a person associated with Virginia Tech has with the university. This attribute is meant to be used by internal applications, and will often be used in authorization logic. It’s vitally important to realize that this attribute can, and almost always will, have more then one value, which is a change from the current affiliation tracking systems. Also, unlike the current affiliation tracking systems, the Enterprise Directory tracks affiliations of individuals not traditionally affiliated with VT. Therefore to differentiate between these other individuals and traditional VT affiliates a namespace identifier has been pre-pended to the affiliation names. Current the two namespaces identifiers are “vt” which identify people traditionally affiliated with VT and “vcom” which identifies individuals affiliated with the Edward Via College of Osteopathic Medicine (VCOM).
Many affiliations form hierarchies. These hierarchies are shown below. With the hierarchies a person of a given affiliation is also listed as having affiliations of those ancestors of their affiliation. For example, using the VT hierarchy diagram below, a person who is a vt-employee-prehire, is also a vt-employee and vt-active-member. These hierarchies are constructed such that as you ascend them the affiliations become more broad and inclusive.
See Affiliation Definitions maintained by IMS.
The affiliations above can be used, in conjunction with other person information stored in the Enterprise Directory, to construct very powerful authorization and personalization logic in an application. Here are some examples of this: