Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

UH Groupings

owners may select this attribute as an optional "synchronization destination" in order to make membership information available to CAS-enabled applications. UH Groupings

can be used as a central authorization management resource, and this attribute makes it even easier.  You typically create a grouping to contain people authorized to do something in your application, then release that grouping by choosing uhReleasedGrouping as a sync destination. Your application can then check whether the grouping is in this attribute when it is returned by CAS/LDAP. 

This makes authorization implementation extremely simple.  There is no need to write or maintain your own authorization code or to host your own authorization data.

As an added convenience, ITS also populates this attribute with many general-purpose values (this page is restricted to the UH community).

Element Name

uhReleasedGrouping

Description

This has all the released groupings that a person belongs to.  Each such grouping represents an application or function for which all of the grouping's members have been authorized.

Tip
Tip
titleHelpful tips
  • Your application is expected to use CAS for authentication and authorization.
  • Your application should check for uhReleasedGrouping value(s) that signify authorization (typically, the name of your grouping) during the CAS validation step.
  • If you don't expect to make exceptions to an automatically defined population (e.g. faculty at Manoa), you may not need to create your own grouping. You may be able to use a curated grouping.
  • Creating your own grouping does not mean that you aren't allowed to also use a curated grouping. For example, a person may have been authorized because she is a member of your grouping, but you also want to perform an additional check against a curated grouping to see that she is enabled for MFA.

Warning

While membership updates to a UH Grouping are usually reflected in this attribute within 2 minutes, it could take much longer under heavy load.

As an added convenience, ITS provides various uhReleasedGrouping values available for general use (this page is restricted to the UH community)

.


UH Data Classification

Restricted per Executive Policy 2.214

LDAP Attribute Info

  • Name: uhReleasedGrouping
  • OID: 1.3.6.1.4.1.2160.1.1.1.66
  • Indexing: yes (equality,substring)
  • Required: no
  • Multivalued: yes(1)

Required Format for Storage

string

Example Stored Data(256), format: {a..z}{A..Z}{0..9}{:-._+=*}

Example Stored Data(2)

2)

manoa-campus-arboretum-club
uh-employees-systemwide
obf:ffa3423857510105ea8927332792387392892349324bdf892a
hawaii.edu:store:uhims:general:mfa-enabled


There are three types of values that can go into uhReleasedGrouping:

Type of value in uhReleasedGroupingExample

Your own grouping (typical)

Usually a hyphenated name

manoa-campus-arboretum-club
-members (typical grouping)
obf:

Your own grouping (obfuscated)

Owners can choose to hide the name of their groupings by obfuscating them in this attribute. The value always begins with obf: and is 133 characters long.

obf:ffa3423857510105ea8927332792387392892349324bdf892a...
(133 chars for obfuscated grouping, when an owner chooses to hide the name of the grouping)

Curated grouping

ITS curates a collection of groups to be included in this attribute.  These values are usually a colon-delimited path to a group in the UH Group Store.

Note that the full path to the group often provides important information here. For example, hawaii.edu:store:hris:aff:uhsystem:staff.apt tells us that these are all the APT Staff at a system-level office according to the PeopleSoft HR system

hawaii.edu:store:uhims:general:mfa-enabled
(curated groupings show up as a full path, see uhReleasedGrouping Values Available for General Use)

Note that there is no namespace collision between the three types of values.   Obfuscated groupings always begin with obf: and curated groupings will always begin with hawaii.edu:store.  Regular groupings are guaranteed to never have a colon, so there is no collision.


Systems of Record N/A because the data comes from UH Groupings.  A grouping could be entirely ad hoc, meaning there was no system of record involved, or a grouping's basis could be built using the UH Group Store, which has groups from all systems of record.

Notes

  1. There is no significance to the order of appearance. No assumptions can be made about the contents of the first row, for example.
  2. The Except for curated groupings, the full path of the a grouping won't be used.  Only the group id, the last component of the colon-separated path will be used.  The grouping namespace is controlled to avoid collisions even if the full path is not used here.
  3. Information on the UH Groupings service is available: UH Groupings.
  4. Information on the CAS service is available: UH Login.
  5. This attribute may indicate that a person is a student, which is FERPA-protected information, hence the "Restricted" data classification.

...