User Tools

Site Tools


middleware:ed:group

Groups

Overview

Groups functionality is provided by Middleware as a way to associate people that have a VT account (uupid). This information can then be retrieved and used by VT University applications for various purposes:

  • authorization to access resources
  • customization of web application displays
  • association for collaboration on a project
  • etc.

The most common use of the groups functionality is expected to be for authorization to access electronic resources - data, services, etc. - in a flexible and delegated way.

Groups are designed to be flexible:

  • A group can contain individual people as well as services and other groups.
  • Group management can be delegated to associated people and services. The type of management permitted for a given associated entity is determined by its assigned role. Supported roles are contact, administrator and manager.

Groups are created in the Registry and replicated to the Enterprise Directory.

Background

Group functionality was developed by Middleware to provide a powerful tool for VT developers to leverage Registry data in their applications. It is designed to be all things to all people - simple and flexible so that it can solve many types of problems.

Details

Properties - Explained

uugid

The term uugid is used to refer to the unique identifier for a group, standing for “universally unique group identifer”. Each group is required to have a uugid. The concept of nodes is used for a uugid's value, where a node is the characters between periods (dots) in the value. The term 'group prefix' refers to the part of a uugid up to the last period.

In order to avoid naming conflicts, creation of the first group for a department, etc. must be requested from IMS. The uugid included in the request must satisfy the naming conventions established by IMS to prevent naming conflicts, which are explained on the referenced site. The term 'initial prefix' refers to the group prefix of this uugid. Once this first group is created, its administrator can create additional groups with the restriction that each group has a uugid that starts with this initial prefix. By convention, the initial group created by IMS often does not contain any members.

Example:
The Alumni Association requests their first group with the uugid 'alumni'. Since this matches a DNS entry that they 'own', this is acceptable and the group is created. The Alumni Association then creates several groups

alumni.virginia
alumni.maryland
alumni.virginia.northern.region
alumni.virginia.central.region

etc. Note that the group prefix of each created group starts with the initial prefix assigned by IMS.

Restrictions on uugid values:

  • overall length: 1 and 128 characters
  • node length: 1 to 16 characters
  • allowed characters
    • alphanumerics, hyphen (dash), and dot (period)
    • first character must be alphanumeric
    • if uugid length < 4, only alphanumerics are permitted

display name

e-mail address

suppression options

expiration date

labeled URIs

Membership - Explained

Management - Explained

Access / Management

Group viewing / management options include


User Access

Some web applications are available to users to view and manage groups. They include the Enterprise Directory Administration Tool (DAT) at https://webapps.middleware.vt.edu/dat and the Group Management System (GMS) at https://webapps.es.vt.edu/group-manager.

Permission to use the DAT is controlled by memberhsip in Middleware groups maintained by IMS. The DAT primarily is intended to be used by VT personnel providing support across the University, such as IMS and 4Help employees. Since the DAT is maintained by Middleware, documentation on this site will be at a fairly detailed level.

Permission to use GMS is granted to a group's administrators and managers. GMS is targeted at VT personnel with these group roles. Since GMS is not maintained by Middleware, detailed documentation will not be included on this site. Navigate to the IMS Group Management site for details.

Functionality provided by the web applications:

View

DAT

From the main menu of the DAT, select 'Query a Group' to navigate to the 'Search for Groups' screen. Enter search criteria – using any combination of:

  • contacts
  • administrators
  • members

and start the search. A list of matching groups is displayed. Select the desired group from the list to navigate to the 'Group Information' screen containing a summary of most of the information about the group.

Screen shots

GMS

Create

DAT

From the main menu of the DAT, select 'Create a Group' to navigate to the 'Create a Group' screen. Enter the requested information (uugid, administrator person, and contact person) and initiate the create. Because of the targeted users of the DAT, no restrictions are imposed on the group prefix of the group identifier thus allowing the creation of the initial group for a VT department, etc.

Once the group is created, the 'Group Information' screen displays with the main menu updated to include the group functionality permitted for the current user. These DAT management functions on the main menu are used to update group properties, update group management, and update group membership.

Screen shots

GMS

Update

Once a group has been selected, either through new group creation or a search, the 'Group Information' screen is displayed and the main menu includes options for updating the group. The list of options varies according to the permissions granted to the current DAT user.

Properties

DAT
From the main menu of the DAT, select 'Group Info Mgmt' to navigate to the 'Group Information Management' screen. Basic group information is displayed at the top of the screen for reference purposes, providing a way to ensure that the correct group is being updated.

Below the summary information, each group property than can be updated on this screen is displayed with both the current value and a means to update that value. For a user with full group permissions, the updateable values are:

For example, the part of the screen for group display name update shows the current value in an editable field

To change this group property, enter the new display name in the field

and click . Once the update is completed, the screen is refreshed. Since the display name is included in the summary information, it is updated both in the summary and in the update part of the screen.

Screen shots

GMS

Management

DAT
GMS

Membership

DAT
GMS

Delete

DAT
GMS

Programmatic Access

Middleware applications exist to automatically maintain the group data, including:

  • Replication of group data from the Registry into the ED Ldap Directory.
  • Scheduled tasks to maintain the integrity of the group data in the Registry.

External applications programmatically access group information to meet the needs of the owning department, etc. Examples include:

Replication

Replication runs continuously to transfer updates made to the Registry data into target systems. For group data, replication has one target system - the ED Ldap Directory. As part of each update to the Registry data, replication of that data occurs immediately.

To do: include schema information

Scheduled Tasks

Tasks run on a configurable schedule to enforce the expiration dates assigned to groups and their associated entities. The group itself has an expiration date. Each member and manager of the group can be assigned an expiration date. When an expiration date is within configured limits, warning notification emails are sent to the group contact(s) about the pending expiration. When the expiration date arrives, the associated entity is deleted and a deletion email is sent to the group contact(s).

Example:

ED Ldap Access

Middleware provides the ED Ldap Directory to allow departments to retrieve VT identify information for authentication, authorization, application customization, etc. using LDAPv3. Group information is part of this information and is continuously kept in sync with the Registry data - see group data replication. Details on accessing the ED Ldap Directory are provided here.

Web Services Access

Middleware provides a set of web services APIs for external applications to use for programmatic access to their group data, both for querying and updating. Refer to the query WSDL for searching functionality. Refer to the manage WSDL for management functionality.

Interacting with these web services requires the use of an ED service for client authentication. In addition, you must be specifically authorized to make web service calls. Contact Daniel Fisher if you would like to use these web service interfaces.

See the Middleware Web Services page for detailed information on Web service architecture, calling conventions, and client usage guidelines.

middleware/ed/group.txt · Last modified: 2015/06/01 12:02 (external edit)