Groups functionality is provided by Middleware as a way to associate people that have a VT account (uupid). This information can then be retrieved and used by VT University applications for various purposes:
The most common use of the groups functionality is expected to be for authorization to access electronic resources - data, services, etc. - in a flexible and delegated way.
Groups are designed to be flexible:
Groups are created in the Registry and replicated to the Enterprise Directory.
Group functionality was developed by Middleware to provide a powerful tool for VT developers to leverage Registry data in their applications. It is designed to be all things to all people - simple and flexible so that it can solve many types of problems.
A group has the following features:
The term uugid is used to refer to the unique identifier for a group, standing for “universally unique group identifer”. Each group is required to have a uugid. The concept of nodes is used for a uugid's value, where a node is the characters between periods (dots) in the value. The term 'group prefix' refers to the part of a uugid up to the last period.
In order to avoid naming conflicts, creation of the first group for a department, etc. must be requested from IMS. The uugid included in the request must satisfy the naming conventions established by IMS to prevent naming conflicts, which are explained on the referenced site. The term 'initial prefix' refers to the group prefix of this uugid. Once this first group is created, its administrator can create additional groups with the restriction that each group has a uugid that starts with this initial prefix. By convention, the initial group created by IMS often does not contain any members.
The Alumni Association requests their first group with the uugid 'alumni'. Since this matches a DNS entry that they 'own', this is acceptable and the group is created. The Alumni Association then creates several groups
alumni.virginia alumni.maryland alumni.virginia.northern.region alumni.virginia.central.region
etc. Note that the group prefix of each created group starts with the initial prefix assigned by IMS.
Restrictions on uugid values:
Some web applications are available to users to view and manage groups. They include the Enterprise Directory Administration Tool (DAT) at https://webapps.middleware.vt.edu/dat and the Group Management System (GMS) at https://webapps.es.vt.edu/group-manager.
Permission to use the DAT is controlled by memberhsip in Middleware groups maintained by IMS. The DAT primarily is intended to be used by VT personnel providing support across the University, such as IMS and 4Help employees. Since the DAT is maintained by Middleware, documentation on this site will be at a fairly detailed level.
Permission to use GMS is granted to a group's administrators and managers. GMS is targeted at VT personnel with these group roles. Since GMS is not maintained by Middleware, detailed documentation will not be included on this site. Navigate to the IMS Group Management site for details.
Functionality provided by the web applications:
From the main menu of the DAT, select 'Query a Group' to navigate to the 'Search for Groups' screen. Enter search criteria – using any combination of:
and start the search. A list of matching groups is displayed. Select the desired group from the list to navigate to the 'Group Information' screen containing a summary of most of the information about the group.
From the main menu of the DAT, select 'Create a Group' to navigate to the 'Create a Group' screen. Enter the requested information (uugid, administrator person, and contact person) and initiate the create. Because of the targeted users of the DAT, no restrictions are imposed on the group prefix of the group identifier thus allowing the creation of the initial group for a VT department, etc.
Once the group is created, the 'Group Information' screen displays with the main menu updated to include the group functionality permitted for the current user. These DAT management functions on the main menu are used to update group properties, update group management, and update group membership.
Once a group has been selected, either through new group creation or a search, the 'Group Information' screen is displayed and the main menu includes options for updating the group. The list of options varies according to the permissions granted to the current DAT user.
From the main menu of the DAT, select 'Group Info Mgmt' to navigate to the 'Group Information Management' screen. Basic group information is displayed at the top of the screen for reference purposes, providing a way to ensure that the correct group is being updated.
Below the summary information, each group property than can be updated on this screen is displayed with both the current value and a means to update that value. For a user with full group permissions, the updateable values are:
For example, the part of the screen for group display name update shows the current value in an editable field
To change this group property, enter the new display name in the field
and click . Once the update is completed, the screen is refreshed. Since the display name is included in the summary information, it is updated both in the summary and in the update part of the screen.
Middleware applications exist to automatically maintain the group data, including:
External applications programmatically access group information to meet the needs of the owning department, etc. Examples include:
Replication runs continuously to transfer updates made to the Registry data into target systems. For group data, replication has one target system - the ED Ldap Directory. As part of each update to the Registry data, replication of that data occurs immediately.
To do: include schema information
Tasks run on a configurable schedule to enforce the expiration dates assigned to groups and their associated entities. The group itself has an expiration date. Each member and manager of the group can be assigned an expiration date. When an expiration date is within configured limits, warning notification emails are sent to the group contact(s) about the pending expiration. When the expiration date arrives, the associated entity is deleted and a deletion email is sent to the group contact(s).
Middleware provides the ED Ldap Directory to allow departments to retrieve VT identify information for authentication, authorization, application customization, etc. using LDAPv3. Group information is part of this information and is continuously kept in sync with the Registry data - see group data replication. Details on accessing the ED Ldap Directory are provided here.
Middleware provides a set of web services APIs for external applications to use for programmatic access to their group data, both for querying and updating. Refer to the query WSDL for searching functionality. Refer to the manage WSDL for management functionality.
Interacting with these web services requires the use of an ED service for client authentication. In addition, you must be specifically authorized to make web service calls.
Contact Daniel Fisher if you would like to use these web service interfaces.
See the Middleware Web Services page for detailed information on Web service architecture, calling conventions, and client usage guidelines.