Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Document status:  Public Draft


This page presents basic information about the UW Groups Service that will help you use it, whether you are accessing it with a web browser or via a programmable client using the service's REST interface.

The UW Groups service provides infrastructure for defining, maintaining, and using "groups", defined simply as named objects, each with a membership list and a standard set of attributes known collectively as "metadata". Members might consist of people, computers, or other kinds of principals, even other groups. Some groups are managed by individual people and teams to meet specific needs. Other groups are created and maintained by organizational or institutional processes, such as UW course enrollments, to serve more general needs. Reuse and delegated management authority are guiding principles. As such, the service is available to all UW employees, students, organizations, and their designated partners.

The UW Groups Service is provided for the use of the University of Washington community, including users and organizations of all kinds.  The service is a central location in which groups can be created and managed.  Groups information can be imported from other systems, and may be used in a wide variety of services and applications.

Group IDs and home groups

The Groups Service uses a structured space for group identifiers, known as UW Group IDs, permitting UW people and organizations to create and manage groups independently, much like a multi-user computer filesystem.  For each person or organization there is a home group on which new group IDs can be based.

For persons the home group is based on your personal UW NetID.  For example, if your personal UW NetID is "bob234", your home group is "u_bob234".  You can create groups based on this group ID, for example "u_bob234_friends".  Your home group is created the first time you sign on to the Groups Service, so you are all set to create and manage personal groups.

If your UW organization (school, department, etc.) has its own UW Domain Name System namespace under "" you can use that same name for group IDs.  For example, if an organization manages domain names under "", it can have a home group of "uw_org789".  To have a home group created for your organization using this space, send email to

Many UW organizations also use supplemental accounts (also known as shared UW NetIDs) to hold organizational resources such as web sites or email contacts.  These accounts can also be used as a basis for groups, and have their own home groups.  For example, a supplemental account "dept456" would have the home group "u_dept456".  To have a home group created for a supplemental UW NetID, send email to

UW Group IDs consist of lower-case letters (a-z), digits (0-9), dash ("-") and underscore ("_").  The underscore character is used to separate components of names, much like slash ("/") or backslash ("\") is used in filenames or URLs.

For a complete description of UW Group IDs, see the UW Group Naming Plan .


Groups may have members of several types:






Any type of UW NetID may be used

Federated ID

An ID from some non-UW source, in user@domain format

DNS name

Any DNS name, typically used for names in UW-issued X.509 certificates

UW Group ID


Any other UW Group ID

Direct members are those members that are listed in a group's entry.  Effective members include all direct members, plus members of any groups listed as members, recursively.

The Groups Service does not guarantee that member entries are valid; for example it does not check to see whether an entered UW NetID really exists.

Some systems and applications using the Groups Service may be limited in the membership types they can handle.  For example, the use of federated IDs for access control wouldn't apply in an application that only accepts UW NetIDs for signon.

Access control

End-user access to the Groups Service is available to all those with personal UW NetIDs. Signon using supplemental (aka shared) UW NetIDs is not permitted. Programmatic access is available using any certificate issued by the UW Services CA.

The Groups Service provides controls to manage who can create, update, and delete group information. (Controls to manage who can view group information are planned for later releases.) Groups have these controls:




permits any operation on the group, including deletion, creation, and update


permits groups to be created with Group IDs based on this group's ID


permits adding and removing members of the group

Access control entries can have any of the types of identifiers that group memberships can have (UW NetID, UW Group ID, federated ID, cert/DNS name).

When a personal home group is created, the UW NetID on which it is based is given Admin control on the group.  When a home group based on a supplemental UW NetID or organization DNS name is created, an initial set of users is given Admin control, as requested by the organization.  In any case these controls can be modified after creation to give access as needed.

When a regular (i.e., non-home) group is created it inherits controls from the group on whose group ID it is based.

Changing access controls on a group affects only that group. It has no effect on controls in any other existing groups.

  • No labels