...
Table of Contents
Overview
UH Groupings uses Grouper behind the scenes to implement the concept of a grouping. This document specifies the Grouper operations that can be performed on a grouping.
Grouping Roles and Permissions
...
User Type | Description | Can use hawaii.edu/uhgroupings to perform these operations: |
---|
Grouping Superuser | Any person who has been designated as a Grouper administrator. | - Can do everything in UH Grouper (and therefore UH Groupings)
|
Grouping Owner | Any person who is responsible for a grouping. The first owner requests for the creation of a grouping. That request must specify the basis and destination (if any) of the grouping. |
| |
Grouping Member | Any person who is a member of a grouping, regardless of whether the membership comes from the basis or the include group. | - Can opt in or opt out of a grouping, assuming the grouping owner allowed it
|
Application Account | A special username that is used by an application to interact with UH Grouper (and therefore, UH Groupings). Grouper permissions are granted based on the needs of the application. | N/A, an application account can access whatever Grouper resources and perform whatever operations it has been granted |
access to
Anatomy of a Grouping
Info |
---|
Typically you would not need to create the underlying components described below. When we receive a grouping request, we will implement them all for you. We expect that most applications would only need to deal with a grouping's include or exclude group. |
All groupings must be created under hawaii.edu:custom:<org> or a subdirectory under that. We'll describe the Grouper components that make up a grouping by using a manoa-math-club grouping example. Remember that a colon delimits a folder, so we'll notate them in bold and ending with a colon:
| | | | | |
|
|
|
|
|
|
| Top-level folder for all Grouper groups |
| | | | |
|
|
|
|
|
| All groupings must be inside custom: subfolder |
| | | | | | |
|
|
|
|
| Organize grouping by <org> code. We will create it under the uhm folder |
| | | | |
|
|
|
| The grouping itself. It is a composite group defined as:
hawaii.edu:custom:uhm:manoa-math-club:basis+include relative complement hawaii.edu:custom:uhm:manoa-math-club:exclude |
| | | | | |
|
|
|
| A folder holding all artifacts that implement the grouping. Every grouping has a folder with the same name as the grouping. |
| | | | | |
|
| The basis of the grouping. It can be empty, it can have |
a single group as a member one or more groups as members, or it can |
be implement a complex group expression. A basis is typically built from the UH Group Store. Examples: Simple basis: This basis group |
has only one member, has zero or more groups as members, e.g. it has this one member group: hawaii.edu:auto:sis:registration:MAN:MATH:140:86212:201430:enrolled Complex basis: This basis group has one member, hawaii.edu:custom:uhm:manoa-math-club:basis:100, which is a composite group that implements a complex group expression. See below. |
| | | | | |
|
| If the basis is a complex group expression, we will need to create intermediate groups that represent each group operation. Such groups go into this folder. |
| | | | | |
| A composite group that represents a complex basis that is implemented by operations on the 101, 102, etc. groups below. For example, this group is a composite group defined as
hawaii.edu:custom:uhm:manoa-math-club:basis:101 relative complement hawaii.edu:custom:uhm:manoa-math-club:basis:102 |
| | | | | |
| This could be a composite defined as
hawaii.edu:auto:sis:registration:MAN:MATH:111:85029:201430:enrolled union hawaii.edu:auto:sis:registration:MAN:MATH:112:82784:201430:enrolled |
| | | | | |
| This could be another composite defined as hawaii.edu:menu:any-dataOrigin:aff:any-org:faculty union hawaii.edu:menu:any-dataOrigin:aff:any-org:staff |
| | | | | |
|
| The grouping's include group. |
| | | | |
|
| The grouping's exclude group. |
| | | | owners |
|
| A group tracking all owners of the grouping |
|
|
|
|
| basis+include |
| |
|
| Every grouping has this. It is the composite group that implements the "basis union include" portion of the grouping. |
Grouper web services
- All UH Grouping operations are performed using Grouper web services. You will need to become familiar with it:
Application account
- If you will be using WS to read from or write to your grouping, make sure your Grouper application account has been granted the following privileges:
- View and Read privileges on the grouping itself
- Update privileges on the grouping's include and exclude subgroups. This means your application account is also considered an owner for the grouping.
Checking if a person is a member of a grouping
- Determine the full path to the group that represents the grouping itself
- e.g. hawaii.edu:custom:uhm:manoa-math-club
- Use this Grouper web service to check that the group has the UH Number of the person as a member:
Adding or deleting people from the include or exclude groups
It is recommended that everyone use https://www.hawaii.edu/uhgroupings to manage every aspect of a grouping.
...
- Special considerations before modifying an include or exclude group:
- Who is performing the addition or deletion from the include and exclude groups? If it as a grouping owner, you may proceed.
- Is your application opting in or out on behalf of a grouping member? If so, you should check whether the owner allowed that.
- Determine the full path to the grouping's include and exclude groups. Simply append :include or :exclude to the grouping path, e.g.
- hawaii.edu:custom:uhm:manoa-math-club:include
- hawaii.edu:custom:uhm:manoa-math-club:exclude
- Use these Grouper web service to add or delete members from the include or exclude groups.
- REQUIRED: set this Grouper attribute to the current date and time, but truncate the seconds portion:
- The attribute name is uh-settings:attributes:for-groups:last-modified:yyyymmddThhmm
- The attribute name in the web service call is referred to
the current date and time, but truncate the seconds portion.
Use this format: - as wsAttributeDefNameName. See example below.
- Set the attribute for the include or exclude group you are modifying, not the grouping path itself.
- Use the YYYYMMDDTHHMM format for the attribute value, e.g.
- 20140315T1915 (March 15, 2014 7:15:59pm59 PM, note how we truncated the secodsseconds, even if this should have been rounded to 7:16pm16 PM)
- Please make sure your clock is synchronized with a time server.
- Use this Grouper web service to assign the attribute:
- https://spaces.internet2.edu/display/Grouper/Assign+Attributes
Example:
No Format |
---|
POST https://grouper.hawaii.edu/grouper-ws/servicesRest/json/v2_2_002/attributeAssignments
{
"WsRestAssignAttributesLiteRequest":
{
"wsAttributeDefNameName":"uh-settings:attributes:for-groups:last-modified:yyyymmddThhmm",
"attributeAssignType":"group",
"valueSystem":"20201231T1345",
"wsOwnerGroupName":"hawaii.edu:custom:your:grouping:path:include-or-exclude",
"attributeAssignValueOperation":"replace_values",
"attributeAssignOperation":"assign_attr"
}
} |
- A future version of Grouper will support RabbitMQ messaging, and we should then do away with this timestamp requirement.
Reading attributes of group members
The following attributes are available when retrieving the members of a group:
Multi-valued attributes will be returned as a single string with all values delimited by three vertical bars "|||". THIS APPLIES ONLY TO THE Grouper API. Do not expect this format to appear in other services such as UH Login or LDAP.
Example:
No Format |
---|
POST https://grouper.hawaii.edu/grouper-ws/servicesRest/xml/v2_2_002/groups
<WsRestGetMembersRequest>
<wsGroupLookups>
<WsGroupLookup>
<groupName>path:to:your:grouping</groupName>
</WsGroupLookup>
</wsGroupLookups>
<includeSubjectDetail>T</includeSubjectDetail>
<subjectAttributeNames>
<string>eduPersonAffiliation</string>
<string>eduPersonOrgDN</string>
</subjectAttributeNames>
</WsRestGetMembersRequest> |
returns:
No Format |
---|
<WsGetMembersResults>
<subjectAttributeNames>
<string>eduPersonAffiliation</string>
<string>eduPersonOrgDN</string>
<string>uid</string>
<string>cn</string>
<string>sn</string>
<string>givenName</string>
<string>displayName</string>
<string>eduPersonAffiliation</string>
<string>eduPersonOrgDN</string>
</subjectAttributeNames>
...
<results>
<WsGetMembersResult>
...
<wsSubjects>
<WsSubject>
<resultCode>SUCCESS</resultCode>
<success>T</success>
<id>99999999</id>
<name>First Last</name>
<sourceId>UH core LDAP</sourceId>
<attributeValues>
<string>staff</string>
<string>uhm</string>
<string>username</string>
<string>First Last</string>
<string>Last</string>
<string>First</string>
<string>First Last</string>
<string>staff|||student</string>
<string>uhsystem|||uhm</string>
</attributeValues>
</WsSubject>
...
|