IAM in Service Catalog
Status: In limited deployment, still under review for wider deployment.
C&C is incrementally extending the UW Groups Service to support new modes of group definition, more groups, and more campus organizations defining groups. The general direction is stated in the Groups Service Roadmap.One , and more uses for groups. A key design component is a naming plan for groups that supports the eventual campus-wide scope of the service. It is desirable to start naming groups using a plausible scheme, even while many other aspects of the system are not yet in place. This document specifies a group naming plan for the UW Groups Service, including syntax and top-level name components.
For design considerations in support of related to this plan see Group Naming Design Considerations .
For open issues / questions / concerns see Groups Service Open Issues.
This plan promotes specifies group names that are more or less in the style of UW NetIDs, email addresses, and web URLs. That is, they are relatively short; typically meaningful to humans but not full English words; and normally writable as ASCII strings without white space. Such identifiers are intended to fit in easily where these other identifiers typically are found. Note, however, that the proposed identifiers names in this plan are not themselves UW NetIDs, email addresses, or URLs/URIs, though ; there could be are mappings to/from those forms in some cases.
2 Namespaces, stems
This plan takes the general approach of supporting hierarchical group name assignment with ownership and delegation, but permitting the tree to be as shallow or as deep as the institution desires, with a bias towards ease of assignment.In some important environments group names are in the same namespace as UW NetIDs. To accomodate this, group names must be considered to be part of the larger UW NetID namespace. See UW NetID Namespacefor more information.
This naming plan does not preclude the implementation of additional naming plans, for example a plan with longer names with a larger character set.
Namespaces, stems, and naming authorities
It is a requirement that groups be able to be created (hence named) by potentially very large numbers of UW community members (over 100,000 or so). To avoid conflicts and the need for an approval process for each group, a hierarchical naming scheme is used, similar to other environments where large-scale naming is needed (e.g. DNS, file systems).
Using the terminology promoted in the Internet2 Grouper project, group namespaces are referred to as "stems" (avoiding various other overloaded terms). A stem is created for the purpose of creating and managing groups (and other stems) based on it, and to control access to these operations. The entity (or entities) responsible for managing a stem is a "naming authority" for that stem. A naming authority may delegate namespaces based on its stem to other naming authorities.
In many cases a group name is used in a context where it is understood to be a group name in the UW infrastructure space (e.g., the "require group foo" context in UW web access control), so a . A short form is available for these contexts, as described in sections 3 and 4. For more general contexts, a URI form is also defined so that each group has a globally unique name.
3 3. Syntax
A group name is a sequence of name components, by convention written left-to-right from highest-level to lowest-level naming authority. Name components are written separated by a delimiter character.
Name components are limited
Case: Names can potentially be mixed-case but by convention are normally lower-case only. Matching is bit-for-bit, i.e. case-sensitive.
Delimiter: The standard delimiter between components is the full stop, ".".
Maximum length: 64 characters, including delimiters.
to lowercase alphanumeric \[a-z\], numeric, \[0-9\], dash ("-"), and period (".").
Delimiter: The delimiter between components is underscore ("_").
Maximum length: 128 octets, including delimiters.
4. UW top-level stems
C&C (acting as institutional group naming authority) controls the top-level stem space. Top-level stems can be created as needed, based on discussion with stakeholders and establishment of clear definition and requirements. Like any stem, a top-level stem must have a well-defined naming authority to manage it.
Syntax of names under each stem can be further profiledconstrained.
5 4.1. UW NetID stem
A top-level stem:
represents the UW NetID namespace. Under this stem is a stem for each UW NetID (, including personal and shared types, and mailing-list ids, but not temp UW NetIDs or other reserved types). For example,
is a stem manageable by whose naming authority is the person owning holding the personal UW NetID "rlmorgan. Groups can be created under that stem as the owner of that UW NetID desires (potentially with various administrative limits on number of groups, number of members, etc).".
The stem based on a shared UW NetID, eg:
u._cac.is manageable by
has as a naming authority the owners of that shared UW NetID, or their delegates. Capability to manage groups using that stem is handled consistently with management of access to other resources available to that shared UW NetID.
5.1 Syntax The syntax of group namespace in names under the UW NetID stem No is not further profileconstrained.
6 Academic course group stem
Academic course groups use a top-level stem:
6.1 Syntax of group namespace in the academic course stem 4.2 UW Affiliation stem
is established to name groups with memberships based on UW affiliations. For example:
is the group whose members have the affiliation "student". The use of this stem may be extended to support other UW-wide group names for which the UW NetID stem is not appropriate.
The syntax of group names under the UW Affiliation stem is not further constrained.
4.3 Academic Course stem
is established to name groups with membership based on UW academic courses. For example:
The syntax of groups in the academic course stem is:
\[ follow existing UWWI approach ... \]
7 Other possible top-level stems
A top-level stem representing affiliations (eg faculty, staff, student) may also be useful, e.g.
If the UWNetID-based namespace proves inadequate or problematic, additional top-level stems could be created. For example:
which might indicate groups with an origin external to the UW.
8 Representation of 5. Exceptions
There may be existing practice where centrally-managed groups are named with names that do not conform to the scheme defined in sections 3 and 4. There may also be cases where applications require group names that do not conform to this plan, but it is still appealing to manage such groups centrally. In these cases exceptions may be granted. Such group names must still conform to the base UW NetID syntax. Groups named with exceptional names should still benefit from participation in group management and use operations.
6. Representation of group names as URIs
For use in URI contexts a URI namespace is allocatedassigned in UW's URN namespace:
A group URI is formed by appending the local short-form group name to that namespace, e.g.:
would be is another name for the group with short name "u._rlmorgan._foo group. It would be appealing if searches on such a URI string in popular search engines resulted in a management page describing the group.".