Element Name | uhReleasedGrouping |
Description | This has all the released groupings that a person belongs to. Each such grouping represents an application or function for which all of the grouping's members have been authorized. |
| Tip |
|---|
owners may select this attribute as an optional "synchronization destination" in order to make membership information available to CAS-enabled applications. You can leverage UH Groupings can be used as a central authorization management resource, and this attribute makes it even easier. |
Basically, you create groupings to represent who is You typically create a grouping to contain people authorized to do something in your application, then release |
those groupings that grouping by choosing uhReleasedGrouping as a sync destination. |
Now your , can simply look for your own groupings when this attribute can then check whether the grouping is in this attribute when it is returned by CAS/LDAP. |
It is simple, and you do not This makes authorization implementation extremely simple. There is no need to write or maintain your own authorization code or to host your own authorization data. As an added convenience, ITS also populates this attribute with many general-purpose values (this page is restricted to the UH community). | Tip |
|---|
| - Your application is expected to use CAS for authentication and authorization.
- Your application should check for uhReleasedGrouping value(s) that signify authorization (typically, the name of your grouping) during the CAS validation step.
- If you don't expect to make exceptions to an automatically defined population (e.g. faculty at Manoa), you may not need to create your own grouping. You may be able to use a curated grouping.
- Creating your own grouping does not mean that you aren't allowed to also use a curated grouping. For example, a person may have been authorized because she is a member of your grouping, but you also want to perform an additional check against a curated grouping to see that she is enabled for MFA.
|
| Warning |
|---|
While membership updates to a UH Grouping are usually reflected in this attribute within 2 minutes, it could take much longer under heavy load. |
|
As an added convenience, ITS provides various uhReleasedGrouping values available for general use (this page is restricted to the UH community).
|
| UH Data Classification | Restricted per Executive Policy 2.214 |
LDAP Attribute Info | - Name: uhReleasedGrouping
- OID: 1.3.6.1.4.1.2160.1.1.1.66
- Indexing: yes (equality,substring)
- Required: no
- Multivalued: yes(1)
|
Required Format for Storage | string |
Example Stored Data( |
256), format: {a..z}{A..Z}{0..9}{:-._+=}Example Stored Data(2)2) | manoa-campus-arboretum-club
uh-employees-systemwide
obf:ffa3423857510105ea8927332792387392892349324bdf892a
hawaii.edu:store:uhims:general:mfa-enabled
There are three types of values that can go into uhReleasedGrouping: | Type of value in uhReleasedGrouping | Example |
|---|
Your own grouping (typical) Usually a hyphenated name | manoa-campus-arboretum-club |
|
-membersobf:ffa3423857510105ea8927332792387392892349324bdf892ada | Your own grouping (obfuscated) Owners can choose to hide the name of their groupings by obfuscating them in this attribute. The value always begins with obf: and is 133 characters long. | obf:ffa3423857510105ea8927332792387392892349324bdf892a... | Curated grouping ITS curates a collection of groups to be included in this attribute. These values are usually a colon-delimited path to a group in the UH Group Store. Note that the full path to the group often provides important information here. For example, hawaii.edu:store:hris:aff:uhsystem:staff.apt tells us that these are all the APT Staff at a system-level office according to the PeopleSoft HR system | hawaii.edu:store:uhims:general:mfa-enabled |
Note that there is no namespace collision between the three types of values. Obfuscated groupings always begin with obf: and curated groupings will always begin with hawaii.edu:store. Regular groupings are guaranteed to never have a colon, so there is no collision.
|
| Systems of Record | N/A because the data comes from UH Groupings. A grouping could be entirely ad hoc, meaning there was no system of record involved, or a grouping's basis could be built using the UH Group Store, which has groups from all systems of record. |
Notes | - There is no significance to the order of appearance. No assumptions can be made about the contents of the first row, for example.
|
The - Except for curated groupings, the full path of
|
the - a grouping won't be used. Only the group id, the last component of the colon-separated path will be used. The grouping namespace is controlled to avoid collisions even if the full path is not used here.
- Information on the UH Groupings service is available: UH Groupings.
- Information on the CAS service is available: UH
|
Web Service- .
- This attribute may indicate that a person is a student, which is FERPA-protected information, hence the "Restricted" data classification.
|