Versions Compared

Old Version 46

changes.mady.by.user Julio Polo

Saved on

compared with

New Version 47

changes.mady.by.user Julio Polo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Element Name

uhReleasedGrouping

Description

This has all the released groupings that a person belongs to.  Each such grouping represents an application or function for which all of the grouping's members have been authorized.


Tip

UH Groupings owners may select this attribute as an optional "synchronization destination" in order to make membership information available to CAS-enabled applications. 

You can leverage 

UH Groupings can be used as a central authorization management resource, and this attribute makes it even easier

Basically, you create groupings to represent who is

You typically create a grouping to contain people authorized to do something in your application, then release

those groupings

that grouping by choosing uhReleasedGrouping as a sync destination.

  Now your

Your application

, can simply look for your own groupings when this attribute

can then check whether the grouping is in this attribute when it is returned by CAS/LDAP

This makes authorization implementation extremely simple

It is simple, and you do not

There is no need to write or maintain your own authorization code or to host your own authorization data.


Warning

While membership updates to a UH Grouping are usually reflected in this attribute within 2 minutes, it could take much longer under heavy load.


As an added convenience, ITS provides various uhReleasedGrouping values available for general use (this page is restricted to the UH community).

UH Data Classification

Restricted per Executive Policy 2.214

LDAP Attribute Info

  • Name: uhReleasedGrouping
  • OID: 1.3.6.1.4.1.2160.1.1.1.66
  • Indexing: yes (equality,substring)
  • Required: no
  • Multivalued: yes(1)

Required Format for Storage

string(256), format: {a..z}{A..Z}{0..9}{:-._+=}

Example Stored Data(2)

manoa-campus-arboretum-club-members (typical grouping)

obf:ffa3423857510105ea8927332792387392892349324bdf892ada (obfuscated grouping, owner chose to hide the name of the grouping)

hawaii.edu:store:uhims:general:mfa-enabled (curated groupings show up as a full path, see uhReleasedGrouping Values Available for General Use)

Systems of Record 

Notes

  1. There is no significance to the order of appearance. No assumptions can be made about the contents of the first row, for example.
  2. The full path of the grouping won't be used.  Only the group id, the last component of the colon-separated path will be used.  The namespace is controlled to avoid collisions even if the full path is not used here.
  3. Information on the UH Groupings service is available: UH Groupings.
  4. Information on the CAS service is available: UH Web Login Service.
  5. This attribute may indicate that a person is a student, which is FERPA-protected information, hence the "Restricted" data classification.