ED Groups

The addition of groups to the Enterprise Directory provides a powerful tool for developers to leverage Registry data in their applications.
This document explains what groups are for and why you would want to use them.

In order to get started with groups you must be assigned a group prefix by IRM.
Once you have this initial group you can create additional groups as necessary and delegate management to any number of people or services.

The group manager web application is available to group administrators and managers at: https://webapps.es.vt.edu/group-manager/

Middleware provides a set of web service APIs for those who need to manage their groups programmatically.
Group searching functionality can be found at: http://ejb.middleware.iad.vt.edu/registryquery/GroupQuery?wsdl
Group management functionality can be found at: http://ejb.middleware.iad.vt.edu/registrymanage/GroupManager?wsdl

Interacting with these web services requires the use of an ED service for client authentication.
In addition, you must be specifically authorized to make web service calls.
Contact Daniel Fisher if you would like to make use of these web service interfaces.

See the Middleware Web Services page for detailed information on Web service architecture, calling conventions, and client usage guidelines.

A group is an arbitrary collection of zero or more people that exist in the Registry.
A group may also contain other groups, creating a hierarchy.
If your application needs to authorize or display certain information based on a custom group of people then a group may simplify your application.
What follows are the group attributes which are of particular importance.
The entire schema can be found here.

The unique identifier of a group is known as the uugid, which stands for universally unique group identifier.
This attribute contains the unique name of a group.
It must start with an alphanumeric, contain only alphanumerics, dots, underscores, and dashes, and end with an alphanumeric.
It must be between 3 and 128 characters long.
Nodes are the text in between dots in a uugid and must be between 1 and 16 characters long.
This is the attribute you will use to access your group in the directory.
A group with a uugid of 'middleware.staff' could be accessed at uugid=middleware.staff,ou=Groups,dc=vt,dc=edu

This attribute contains the contents of a group.
You can add any person that exists in the Registry to this attribute, as well as other groups.
Our implementation does not define what these relationships mean, that is up to whomever is using the group.
What does it mean for a group to be a member of another group? That is up to you.

This attribute contains all the groups that this group is a member of.
This provides a mechanism to traverse up to parent groups if necessary.

This attribute contains the DN of the people and/or services who are responsible for administrating the group.
Any person or service in this list is allowed to change any and all the data associated with this group, including deletion of the group.

This attribute contains the DN of the people and/or services who are responsible for managing the group.
Any person or service in this list is allowed to change the person members in the group.

This attribute contains the service DNs allowed to view the data in ED-ID.
If an administrator sets this attribute then only those services listed will be able to see the group data.
If this attribute is not set, then group membership data will be publically and anonymously available in ED-Auth.
(unless the suppressMembers attribute is set)

This attribute contains a boolean indicating whether the member and groupMembership attributes will be anonymously available in ED-Auth.
The default value for this attribute is true.

This attribute contains a boolean indicating whether demographic attributes will be anonymously available in ED-Lite.
The default value for this attribute is true.
The current list of demographic attributes includes:

• displayName
• emailAddress
• groupData
• labeledURI

This attribute contains the DN of the people responsible for this group.
These people will receive e-mail concerning this group, including notices concerning group expiration.

This attribute contains the date on which this group will be deleted from the Enterprise Directory.
When a group is created it's expiration date is set to one year from it's creation date and may be renewed at any time.
Several notification will be sent to the group contact prior to group deletion.

This attribute contains the groups a person is a member of.
This attribute is only viewable to an authenticated person, it is not available anonymously.
Typically you would inspect this attribute after authenticating the person.

There are 3 attributes which control who can see what about your group.

• The viewer attribute controls which ED Services can view your group in the ED-ID directory.
• The suppressMembers attribute determines whether your group membership is publicly available in the ou=Groups branch of ED-Auth.
• The suppressDisplay attribute determines whether your group demographic data is publicly available in the ou=Groups branch of ED-Lite.

By setting these attributes you can control what is exposed to various audiences in each of our directories.

We designed the groups system in an attempt to be all things to all people.
We don't know what a group means to you or how you plan to use it, so hopefully our system is simple enough and flexible enough to solve your problem.
We expect the most common use of a group is to perform authorization decisions or customize display options.