IAM in Service Catalog
It is a requirement that groups be able to be created (hence named) by potentially very large numbers of UW community members (over 100,000 or somore). To avoid conflicts, and to avoid the need for an approval process for each proposed group name, a hierarchical naming scheme is used. This is similar to other environments where large-scale distributed naming is needed (e.g. DNS, file systems).
Using the terminology promoted in the Internet2 Grouper project, specific group namespaces are referred to as "stems". A stem is created for the purpose of creating and managing groups (and other stems) based on it, and to control access to these operations. The entity (or entities) responsible for managing a stem is a "naming authority" for that stem. A naming authority may delegate control of namespaces based on its stem to other naming authorities.
Character set: Name components are limited to lowercase alphanumericletters \[a-z\], numeric,digits \[0-9\], dash ("-"), and period (".").
Delimiter: The delimiter between components is underscore ("_").
Note that a particular name may be used both as the name of a group and as a stem on which other group names are based. For example, the name
might both be used as a group (i.e., have a member list and be used in group expression contexts) and as a stem for more group names, for example:
4. UW top-level stems
C&C (acting as institutional group naming authority) controls the top-level stem space. Top-level stems can be created as needed, based on discussion with stakeholders and establishment of clear definition and requirements. Like any stem, a top-level stem must have a well-defined naming authority to manage it.
represents the UW NetID namespace. Under this stem is a stem for each UW NetID, including personal and shared types, and mailing-list ids, but not temp UW NetIDs or other reserved types. For example,
is a stem whose naming authority is the person holding the personal UW NetID "rlmorganrlbob". Examples of groups names based on that stem are:
The stem based on a shared UW NetID , eg:
has as a naming authority the owners of that shared UW NetID, or their delegates. Capability to manage groups using that stem is handled consistently with management of access to other resources available to that shared UW NetID. For example, the shared UW NetID "cac" has the stem:
Examples of group names based on that stem are:
The syntax of group names under the UW NetID stem is not further constrained.
\[ UWWI has created a convention for this. This needs to be described syntacticallyalgorithmically to work here. \]
There may be existing practice where centrally-managed groups are named with names that do not conform to the scheme defined in sections 3 and 4. There may also be cases where applications require group names that do not conform to this plan, but it is still appealing to manage such groups centrally. In these cases exceptions may be granted. Such group names must still conform to the base UW NetID syntax. Groups named with exceptional names should still benefit from participation in group management and use operations. Such names do not participate in the hierarchical naming scheme, however. For example:
might be exceptional group names. They could not be used as stems for other group names.
6. Representation of group names as URIs
A group URI is formed by appending the short-form group name to that namespace, e.g.. For example, given the short-form group name:
the URI form is:
is another name for the group with short name "u_rlmorgan_foo".