IAM in Service Catalog
Status: In limited deployment, still under review for wider deployment.
C&C is incrementally extending the UW Groups Service to support new modes of group definition, more groups, and more campus organizations defining groups. The general direction is stated in the Groups Service Roadmap.
One key design component is a naming plan for groups that supports the eventual campus-wide scope of the service. It is desirable to start naming groups using a plausible scheme, even while many other aspects of the system are not yet in place. This document specifies a group naming plan for the UW Groups Service.
For design considerations in support of this plan see Group Naming Design Considerations .
For open issues / questions / concerns see Groups Service Open Issues.
1 Namespaces, stems
This plan takes the general approach of supporting hierarchical group name assignment with ownership and delegation, but permitting the tree to be as shallow or as deep as the institution desires, with a bias towards ease of assignment.
Using the terminology promoted in the Internet2 Grouper project, group namespaces are referred to as "stems" (avoiding various other overloaded terms). A stem is created for the purpose of creating and managing groups (and other stems) based on it, and to control access to these operations.
In many cases a group name is used in a context where it is understood to be a group name in the UW infrastructure space (e.g., the "require group foo" context in UW web access control), so a short form is available for these contexts. For more general contexts, a URI form is also defined so that each group has a globally unique name.
A group name is a sequence of name components, by convention written left-to-right from highest-level to lowest-level naming authority.
Character set: Name components are limited to alphanumeric plus a few punctuation chars: "-", "_". (Probably should look at various charset specs such as URLs for guidance.)
Case: Names can potentially be mixed-case but by convention are normally lower-case only. Matching is bit-for-bit, i.e. case-sensitive.
Delimiter: The standard delimiter between components is colon, ":".
3 UW top-level stems
C&C (acting as institutional group naming authority) controls the top-level stem space. Top-level stems can be created as needed, based on discussion with stakeholders and establishment of clear definition and requirements. Like any stem, a top-level stem must have a well-defined naming authority to manage it.
Syntax of names under each stem can be further profiled.
4 UW NetID stem
A top-level stem:
represents the UW NetID namespace. Under this stem is a stem for each UW NetID (including personal and shared types, and mailing-list ids, but not temp or other reserved types). For example,
is a stem manageable by the person owning the personal UW NetID rlmorgan. Groups can be created under that stem as the owner of that UW NetID desires (potentially with various administrative limits on number of groups, number of members, etc).
The stem based on a shared UW NetID, eg:
is manageable by the owners of that shared UW NetID, or their delegates. Capability to manage groups using that stem is handled consistently with management of access to other resources available to that shared UW NetID.
4.1 Syntax of group namespace under u:
No further profile.
5 Other top-level stems
Course groups are not currently named in a global fashion since their only venue of use, in mod_uwa, distinguishes course objects from group objects. Propose that course groups be named in a consistent fashion with other groups, hence a top-level stem:
A top-level stem representing affiliations (eg faculty, staff, student) may also be useful.
If the UWNetID-based namespace proves inadequate or problematic, additional top-level stems could be created. For example:
which might indicate groups with an origin external to the UW.
For use in URI contexts URI namespace is allocated:
A group URI is formed by appending the local group name to that namespace, e.g.:
would be another name for the u:rlmorgan:foo group. It would be appealing if searches on such a URI string in popular search engines resulted in a management page describing the group.