Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Element Name

uhReleasedGrouping

Description

This has all the released groupings that a person belongs to.  Each such grouping represents an application or function for which all of the grouping's members have been authorized.


Tip
titleTips
  • UH Groupings owners may select this attribute as an optional "synchronization destination" in order to make membership information available to CAS-enabled applications.
  • As an added convenience, ITS also populates this attribute with many general-purpose values (this page is restricted to the UH community).


UH Groupings can be used as a central authorization management resource, and this attribute makes it even easier.  You typically create a grouping to contain people authorized to do something in your application, then release that grouping by choosing uhReleasedGrouping as a sync destination. Your application can then check whether the grouping is in this attribute when it is returned by CAS/LDAP. 

This makes authorization implementation extremely simple.  There is no need to write or maintain your own authorization code or to host your own authorization data.


Warning

While membership updates to a UH Grouping are usually reflected in this attribute within 2 minutes, it could take much longer under heavy load.


UH Data Classification

Restricted per Executive Policy 2.214

LDAP Attribute Info

  • Name: uhReleasedGrouping
  • OID: 1.3.6.1.4.1.2160.1.1.1.66
  • Indexing: yes (equality,substring)
  • Required: no
  • Multivalued: yes(1)

Required Format for Storage

string(256), format: {a..z}{A..Z}{0..9}{:-._+=*}

Example Stored Data(2)

There are three types of data that can go into uhReleasedGrouping:

Type of values in uhReleasedGroupingExample

Your own grouping (typical)

Usually a hyphenated name

manoa-campus-arboretum-club

Your own grouping (obfuscated)

Owners can choose to hide the name of their groupings by obfuscating them in this attribute. The value always begins with obf: and is 133 characters long.

obf:ffa3423857510105ea8927332792387392892349324bdf892a...

Curated grouping

ITS curates a collection of groups to be included in this attribute.  These values are usually a colon-delimited path to a group in the UH Group Store.

Note that the full path to the group often provides important information here. For example, hawaii.edu:store:hris:aff:uhsystem:staff.apt tells us that these are all the APT Staff at a system-level office according to the PeopleSoft HR system

hawaii.edu:store:uhims:general:mfa-enabled

Note that there is no namespace collision between the three types of values.   Obfuscated groupings always begin with obf: and curated groupings will always begin with hawaii.edu:store.  Regular groupings are guaranteed to never have a colon, so there is no collision.


Systems of Record N/A because the data comes from UH Groupings.  A grouping could be entirely ad hoc, meaning there was no system of record involved, or a grouping's basis could be built using the UH Group Store, which has groups from all systems of record.

Notes

  1. There is no significance to the order of appearance. No assumptions can be made about the contents of the first row, for example.
  2. The full path of the grouping won't be used.  Only the group id, the last component of the colon-separated path will be used.  The namespace is controlled to avoid collisions even if the full path is not used here.
  3. Information on the UH Groupings service is available: UH Groupings.
  4. Information on the CAS service is available: UH Login.
  5. This attribute may indicate that a person is a student, which is FERPA-protected information, hence the "Restricted" data classification.

...