Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Element Name

uhReleasedGrouping

Description

Allow application developers to implement

This has all the released groupings that a person belongs to.  Each such grouping represents an application or function for which all of the grouping's members have been authorized.

UH Groupings can be used as a central authorization management resource,

UH Groupings, outside of their applications. This reduces the amount of custom code to write and support and provides for the reuse of Groupings across multiple applications.

This attribute asserts UH Grouping memberships as needed.  UH Grouping memberships can be used to assert who is authorized to access an application and/or can be used to control which functions and information an individual may access while using an application.

TipUH Groupings owners may select this attribute as an optional "publication destination" in order to make membership information available to CAS-enabled applications. 

and this attribute makes it even easier.  You typically create a grouping to contain people authorized to do something in your application, then release that grouping by choosing uhReleasedGrouping as a sync destination. Your application can then check whether the grouping is in this attribute when it is returned by CAS/LDAP. 

This makes authorization implementation extremely simple.  There is no need to write or maintain your own authorization code or to host your own authorization data.

As an added convenience, ITS also populates this attribute with many general-purpose values (this page is restricted to the UH community).

Tip
titleHelpful tips
  • Your application is expected to use CAS for authentication and authorization.
  • Your application should check for uhReleasedGrouping value(s) that signify authorization (typically, the name of your grouping) during the CAS validation step.
  • If you don't expect to make exceptions to an automatically defined population (e.g. faculty at Manoa), you may not need to create your own grouping. You may be able to use a curated grouping.
  • Creating your own grouping does not mean that you aren't allowed to also use a curated grouping. For example, a person may have been authorized because she is a member of your grouping, but you also want to perform an additional check against a curated grouping to see that she is enabled for MFA.

Warning

While membership updates to a UH Grouping are usually reflected in this attribute within 2 minutes,

updates can

it could take much longer

when Grouper is

under heavy load

.As an added convenience, ITS provides various uhReleasedGrouping values available for general use (this page is restricted to the UH community)

.


UH Data Classification

Restricted

Data is only for official use within the UH community and not for release to external parties, except under the terms of a written memorandum of agreement or contract.

 per Executive Policy 2.214

LDAP Attribute Info

  • Name: uhReleasedGrouping
  • OID: 1.3.6.1.4.1.2160.1.1.1.66
  • Indexing: yes (equality,substring)
  • Required: no
  • Multivalued: yes(1)

Required Format for Storage

string

Example Stored Data(

256), format: {a..z}{A..Z}{0..9}{-._+=}

Example Stored Data(2)

2)

manoa-campus-arboretum-club
uh-employees-systemwide
obf:ffa3423857510105ea8927332792387392892349324bdf892a
hawaii.edu:store:uhims:general:mfa-enabled


There are three types of values that can go into uhReleasedGrouping:

Type of value in uhReleasedGroupingExample

Your own grouping (typical)

Usually a hyphenated name

manoa-campus-arboretum-club
-members

Your own grouping (obfuscated)

Owners can choose to hide the name of their groupings by obfuscating them in this attribute. The value always begins with obf: and is 133 characters long.

obf:ffa3423857510105ea8927332792387392892349324bdf892a...

Curated grouping

ITS curates a collection of groups to be included in this attribute.  These values are usually a colon-delimited path to a group in the UH Group Store.

Note that the full path to the group often provides important information here. For example, hawaii.edu:store:hris:aff:uhsystem:staff.apt tells us that these are all the APT Staff at a system-level office according to the PeopleSoft HR system

hawaii.edu:store:uhims:general:mfa-enabled

Note that there is no namespace collision between the three types of values.   Obfuscated groupings always begin with obf: and curated groupings will always begin with hawaii.edu:store.  Regular groupings are guaranteed to never have a colon, so there is no collision.


Systems of Record N/A because the data comes from UH Groupings.  A grouping could be entirely ad hoc, meaning there was no system of record involved, or a grouping's basis could be built using the UH Group Store, which has groups from all systems of record.

Notes

  1. There is no significance to the order of appearance. No assumptions can be made about the contents of the first row, for example.
The
  1. Except for curated groupings, the full path of
the
  1. a grouping won't be used.  Only the group id, the last component of the colon-separated path will be used.  The grouping namespace is controlled to avoid collisions even if the full path is not used here.
  2. Information on the UH Groupings service is available: UH Groupings.
  3. Information on the CAS service is available: UH
Web
  1. Login
Service
  1. .
  2. This attribute may indicate that a person is a student, which is FERPA-protected information, hence the "Restricted" data classification.