Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Document status: Public Draft

Contents

This page presents basic information about the UW Groups Service that will help you use it via its web browser interface or its programmable REST interface.

Overview

The Groups service is a central location in which groups can be created, managed, and then reused in other services and applications. Groups can be created from various sources of group information and used in a wide variety of integrated services and applications, as illustrated in Figure 1.

Some groups are managed by individual people and teams for ad hoc purposes such as collaboration. Other groups are managed for more general purposes by UW organizations or by institutional processes such as UW course enrollments or UW employee appointments.

This diversity of group information sources and varied application uses is enabled by a delegated model of management authority: any member of the UW community can use the service to manage groups under their authority and delegate that authority to others as needed.

However, end-user access to the Groups service's web browser interface requires a personal UW NetID, so use via supplemental (aka shared) UW NetIDs is not permitted. Similarly, programmatic access to the REST interface requires client authentication using a certificate issued by the UW Services CA.

Group IDs and home groups

The Groups service uses a structured namespace for group identifiers, known as UW Group IDs, permitting UW people and organizations to create and manage groups independently. UW Group IDs consist of lower-case letters (a-z), digits (0-9), dash ("-") and underscore ("_"). The underscore character is used to separate components of group IDs, much like slash ("/") or backslash ("\") is used in URLs or filenames.

For each person or organization there is a home group on which new group IDs can be based.

For persons the home group is based on your personal UW NetID.  For example, if your personal UW NetID is "bob234", your home group is "u_bob234".  You can create and name other groups based on this group ID, for example "u_bob234_friends".  Your home group is created the first time you log in via the web browser interface, so you are able to create and manage groups in your personal namespace.

If your UW organization (school, department, etc.) has its own UW Domain Name System namespace under "washington.edu" you can use that same name for group IDs.  For example, if an organization manages domain names under "org789.washington.edu", it can have a home group of "uw_org789".

Many UW organizations also use supplemental accounts (also known as shared UW NetIDs) to hold organizational resources such as web sites or email contacts.  These accounts can also be used as a basis for groups, with baetheir own home groups.  For example, a supplemental account "dept456" would have the home group "u_dept456".

To have a home group created for your organization based on a DNS subdomain or supplemental UW NetID, send email to help@u.washington.edu.

For a complete description of UW Group IDs, see the UW Group Naming Plan.

Group Memberships

In the Group service, individual groups may include members using several types of identifiers:

Type

Example

Comment

UW NetID

bob234

Any type of UW NetID may be used

Federated ID

bob456@example.edu

An ID from some non-UW source, in user@domain format

DNS name

sys789.org.washington.edu

Any DNS name, typically used for names in UW-issued X.509 certificates

UW Group ID

uw_org789_all_tmp

Any other UW Group ID

The Groups service does not guarantee that member entries are valid; for example it does not check to see whether an entered UW NetID or member group really exists.

Some systems and applications using the service may be limited in the types of members they can handle.  For example, the use of federated IDs for access control wouldn't apply in an application that only accepts UW NetIDs for signon.

When viewing group memberships, direct members are those members that are listed in a group's entry, directly; while effective members include all direct members, plus members of any groups listed as members, recursively.

Access Controls

The Groups Service provides controls to manage who can create, update, and delete group information. All groups have these controls:

Control

Purpose

Admin

permits any operation on the group, including deletion, creation, and update

Create

permits groups to be created with Group IDs based on this group's ID

Update

permits adding and removing members of the group

Access control entries can have any of the types of identifiers that group memberships can have (UW NetID, UW Group ID, federated ID, cert/DNS name).

When a personal home group is created, the UW NetID on which it is based is given Admin control on the group.  When a home group based on a supplemental UW NetID or organization DNS name is created, an initial set of users is given Admin control, as requested by the organization.  These controls can be modified after creation to give access as needed.

Changing access controls on a group affects only that group. It has no effect on controls in any other existing groups.

  • No labels