User Tools

Site Tools


ED-ID Group Entries Explained

Author Daniel Fisher
Date 2005/11/04


The addition of groups to the Enterprise Directory provides a powerful tool for developers to leverage Registry data in their applications.
This document explains what the virginiaTechGroup object class is for and why someone might create a group for their own purposes.

Group Entry Information

A group is an arbitrary collection of zero or more people that exist in the Registry.
If your application needs to authorize or display certain information based on a custom group of people then a group may simplify your application.
What follows are the group attributes which are of particular importance.


The unique identifier of a group is known as the uugid, which stands for universally unique group identifier.
This attribute contains the unique name of a group.
It must start with an alphanumeric, contain only alphanumerics, dots, underscores, and dashes, and end with an alphanumeric.
It must be between 4 and 64 characters long.
This is the attribute you will use to access your group in the directory.
A group with a uugid of 'middleware.staff' could be accessed at uugid=middleware.staff,ou=Groups,dc=vt,dc=edu


This attribute contains the contents of a group.
You can add any person that exists in the Registry to this attribute, as well as other groups.
Our implementation does not define what these relationships mean, that is up to whomever is using the group.
What does it mean for a group to be a member of another group? That is up to you.


This attribute contains all the groups that this group is a member of.
This provides a mechanism to traverse up to parent groups if necessary.


This attribute contains the people DNs who are responsible for managing the group.
Any person in this list is allowed to change any and all the data associated with this group, including deletion of the group.


This attribute contains the service DNs allowed to view the data in ED-ID.
If an administrator sets this attribute then only those services listed will be able to see the group data.
If this attribute is not set, then group membership data will be publically and anonymously available in ED-Auth.


This attribute contains the DN of the person responsible for this group.
This person will receive e-mail concerning this group, including notices concerning group expiration.


This attribute contains the date on which this group will be deleted from the Enterprise Directory.
When a group is created it's expiration date is set to one year from it's creation date and may be renewed at any time.
Several notification will be sent to the group contact prior to group deletion.

Person Entry Information

A person contains the groupMembership attribute which can be inspected to determine which groups a person is a member of.
This attribute is only viewable to an authenticated person, it is not available anonymously.
Typically you would inspect this attribute after authenticating the person.

Access Control

As stated above, the viewer attribute is what controls who can view your group data and how it must be accessed.
If this attribute is empty then your group membership will be available for anyone to inspect in ED-Auth.
If this is acceptable then it provides the easiest way to access your group data.
Otherwise your group data can only be accessed by the services you specify in ED-ID.
This allows group administators some flexibility in how they access group data and address privacy concerns.

Group Usage

We designed the groups system in an attempt to be all things to all people.
We don't know what a group means to you or how you plan to use it, so hopefully our system is simple enough and flexible enough to solve your problem.
We expect the most common use of a group is to perform authorization decisions or customize display options.

Creating a group

Group creation will be performed via a portlet in the MyVT portal.
More information will be available when groups are released to the general public.

middleware/ed/edid/groups/explained.txt · Last modified: 2015/06/01 12:02 (external edit)