Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »


This page presents basic introductory information about the UW Groups Service to help you use its Groups Web Service User Interface or programmable Groups Web Service REST API.


The UW groups service is a central location in which groups can be created, managed, and then reused in other services and applications. Groups can be created from various sources of group information and used in a wide variety of integrated services and applications, as illustrated in Figure 1.

Some groups are managed by individual people and teams for ad hoc purposes such as collaboration and communication. Other groups are managed for more formal purposes by UW organizations or by institutional processes such as UW course enrollments or UW employee appointments.

This diversity of group information sources and varied application uses is enabled by a delegated model of management authority: any member of the UW community can use the service to manage groups under their authority and delegate that authority to others as needed.

You can access the web browser interface using your personal UW NetID; access using shared UW NetIDs (also known as supplemental accounts) is not supported.  Programmatic access to the REST API requires client authentication using a certificate issued by the UW Services CA.

UW Group IDs

The UW groups service uses a structured namespace for group identifiers, known as UW Group IDs, permitting UW people and organizations to create and manage groups independently.  Each group has a unique UW Group ID.  Systems and applications using UW Groups typically refer to groups using UW Group IDs.

UW Group IDs consist of lower-case letters (a-z), digits (0-9), dash ("-") and underscore ("_"). The underscore character is used to separate components of group IDs, much like slash ("/") or backslash ("\") is used in URLs or filenames.

If you want to create new group, you can do so if you have appropriate permission (see Access Controls below) on an existing group.  You can see what groups you administer using the "My groups" tab.  For example, if you have Admin or Create access to the "uw_pavesci_admin" group, you could create a group called "uw_pavesci_admin_fulltime".  You should choose a UW Group ID appropriate for the expected use of the group, bearing in mind that the group may be used by many people for a long time.

If you need to create a new namespace for UW Group IDs in the UW groups service for your organization, refer to the Home Groups page to learn more.

Group Memberships

In the UW groups service, individual groups may include members using several types of identifiers:

Identifier Type





Any type of UW NetID may be used as a group member

Federated ID

An ID from some non-UW identity service provider, in user@domain format

DNS name

Any DNS name, typically used for names in UW-issued X.509 certificates

UW Group ID


Any other UW Group ID

The groups service does not guarantee that member entries are valid; for example it does not check that all types of members entered really exist.

Some systems and applications using the service may be limited in the types of members they can handle.  For example, the use of federated IDs for access control wouldn't apply in an application that only accepts logins by UW NetID.

When viewing group memberships, "direct" members are those members that are listed in a group's membership, directly; while "effective" members include all direct members, plus members of any groups listed as members, recursively.

Administrators, subgroup creators, and member managers are not automatically added as group members.

Access Controls

The UW groups service provides controls to manage who can create, update, and delete group information. All groups have these controls:


Role Name




Permits all operations on the group, including update, delete, create subgroup, manage members, and view members


Subgroup creator

Permits new subgroup creation; i.e. new UW Group IDs using this group's ID as the prefix


Member manager

Permits adding and removing members of the group

Member View

Membership viewer

Permits restricting who can view a group's membership, including no restrictions

Access control entries can have any of the types of identifiers that group memberships can have (UW NetID, UW Group ID, federated ID, DNS name).

An organizational home group has an initial set of users with Admin control, as requested by the organization.  You have Admin access to your personal home group when it is created.  These controls can be modified at any time so you can control access as needed.

Changing access controls on a group affects only that group. It has no effect on controls in any other existing groups.

Further Reading

Now that you're familiar with the basics of the group service, you may want to browse the Groups Web Service UI using your personal UW NetID.

For further reading on some of topics mentioned above refer to these pages:

Home Groups
UW Group Naming Plan
Synchronization with UW Windows Infrastructure
Groups Service Architecture Diagram
Institutional Groups For Organizations

  • No labels