Overview

UH Groupings is an online service for organizing and managing groupings of people affiliated with the University of Hawaii. Groupings can be based on simple roles or affiliations–students, faculty staff, campus–or complex combinations such as role, campus, EAC code, etc. Additionally, custom groupings can be created from scratch. Once defined, a Grouping can be used in multiple ways, such as to determine if someone is authorized to access an online resource, and/or should be included on an email list.

Request a grouping: <request form>
Manage a grouping: <https://www.hawaii.edu/its/uhgroupings>
Visit the UH Group Store: <UH Group Store>

Vision

UH Groupings provides a comprehensive resource for listing and managing all of a person's authorizations across all of the on-line resources used by the University, including web apps, even WordPress apps. Furthermore, UH Groupings enables comprehensive, automated deprovisioning of authorizations as determined by business logic.

Conceptual Description of Features, Roles, and Capabilities

Features

Leverage UHIMS's ability to automatically create groups by campus, role, EAC code, academic objective, course enrollment, etc.
Allow Grouping owners to identify and manage groups of individuals for business purposes, communications purposes, etc.
Allow Grouping owners to manually augment the Grouping by including or excluding select individuals.
Allow Grouping owners to publish a Grouping to a LISTSERV list and/or a Google group (or elsewhere in the future).
- Lists and groups are refreshed every 3 minutes.
- Users that use the LISTSERV feature to option out of a list will trigger a notification email to the owner(s). An owner can then contact the user.
Allow Grouping owners to enable members of a Grouping to effectively opt themselves out of the Grouping (e.g.: they no longer want to receive email from the respective list).
Allow Grouping members to opt in/out (at the Grouping owner's discretion) of the Grouping's publication to external services, such as a LISTSERV list.
API so that an application developer can automatically populate a Grouping's Include or Exclude group (see below for concepts and the developer documentation for API details).
Use UH Grouping's uhReleasedGrouping feature so that your group can be used for access control with CAS.
Use UH Grouping's term transition feature to automatically change the group membership when semesters change.
Use the UH Grouping's lifecycle feature so that you receive email when a person in your group leaves or changes position, for example, if authorizations need to be revoked.
- It is very easy to grant access to someone, but it is even easier to forget to remove such access when the person is no longer authorized. UH Groupings can provide that reminder when someone in the group has left or changed positions
- If an email notification is not appropriate (e.g. need real-time message for automatic deprovisioning), use the UH Message Broker instead. The underlying events that cause a person to enter or leave a group are available as a message.

Composition

A UH Grouping may be conceptually visualized as a trio of 3 groups of members. A person is a member of a group if it includes their UH Number. The trio is as follows

Basis group
- The Basis group membership is automatically populated and updated by UHIMS as UHIMS receives information about people from Banner, PeopleSoft HR and elsewhere.
- The composition of the Basis group is determined by the Grouping owner during the process to establish a new UH Grouping.
- The Basis group is reserved for UHIMS and may not be populated via the API.
- The Basis group is optional and may be empty.
Include group
- Ensure that the UH Grouping includes a member, regardless of their membership in the Basis group.
- The Include group is optional and may be empty. There is no automatic removal of members from the Include group.
- The API may be used by the application developer to populate this group.
Exclude group
- Ensure that the UH Grouping excludes a member, regardless of their membership in either the Basis or the Include group.
- The Exclude group is optional and may be empty. There is no automatic removal of members form the Exclude group.
- The API may be used by the application developer to populate this group.

For those familiar with Set Theory, the calculation of the UH Grouping's membership result may be represented as ((Basis U Include) \ Exclude).

UH Identity and Access Management > UH Groupings > UH Groupings Concepts.jpg

Roles

Grouping Owner
- Successfully requests the creation of the UH Grouping. The request includes specifying the following:
  - composition of the Basis group
  - description of the UH Grouping
  - publication destination
- Manages the UH Grouping
  - Can add or delete Grouping Members from the Include and Exclude groups.
  - Can indicate whether or not members can opt-out (exclude themselves) from a UH Grouping.
  - Can assign the Owner role to others so that there are multiple Owners.
Grouping Member
- Can exclude self from (or re-include to) a Grouping, if the Grouping is configured to permit it.

Sync Destinations

Nowhere - there is no destination
- Membership sync'ing of a Grouping to an external resource is optional.
LISTSERV list
- A grouping may be synchronized with a single associated LISTSERV list.
- The LISTSERV list is automatically created and synchronized with your grouping if you answered "yes" to "Publish your Grouping to a LISTSERV list?" (in the UH Groupings Request Form)
- The name of the LISTSERV list is the name of your grouping without its enclosing folder. For example, hawaii.edu:custom:test:foo-bar would generate the foo-bar LISTSERV list
- To send email, be sure to append @ and lists.hawaii.edu after the list name.
- Please review UH Groupings and LISTSERV Settings to view the default settings for groupings. You can also use it as a guide for requesting different settings for your list.
- See also UH Groupings and LISTSERV Considerations
Google group
- The name of the Google group is the name of your grouping without its enclosing folder.
CAS/LDAP attribute, uhReleasedGrouping
Future destinations to be determined
- Atlassian Confluence groups

Developer Information

UH Groupings and Role Based Access Control

Membership in any group or Grouping implies a role, which implies entitlements. An entitlement can be as simple as participation in an email distribution list. An entitlement can also be important to an application for determining who is allowed to do what within the application. Using UH Groupings for entitlements makes it possible for people to automatically lose an entitlement should their role change. This can help ensure that a person does not retain access to an application when they leave the university. It should be understood that people leaving the university can still have a working UH Username for many years. Retirees, Emeriti, and 'Ohana continue to retain their UH Username for as long as they want.

Developers can leverage UH Groupings and CAS or the Grouper API to externalize authorization logic. UH Groupings provides additional features, such as:

access to the UH Group Store, which includes many thousands of UHIMS predefined groups,
ability to reuse Groupings amongst multiple applications,
ability to publish Groupings as automatically managed LISTSERV lists (for membership management only),
future-proofing (access new features as they are added to UH Groupings; such as, enterprise deprovisoning).

Developer Resources:

Table of Contents