Enterprise Directory Groups (ED Groups)


An Enterprise Directory (ED) group is a way to group people together in order to authorize that group of people to access electronic resources in an ad hoc fashion. While people have implied affiliations to the University which allow them access to certain on-line systems, membership in a group can also allow access but in a more flexible and delegated fashion.

The Group Management Application is an application that allows university IT application services to create and manage groups for the purpose of authorizing people to use information technology services.

Why Groups?

General Group Naming Rules

Initial Group Prefix

All new groups created by admins must have a prefix. This prefix must consist of the name of an existing group that the creator administers. For example your department has created "department.staff.access" as a group and given you administrative rights to that group. You can now create new groups under that prefix. Examples might be "department.staff.access.temp" or "department.staff.access.secure".  In order to begin using groups you must obtain the first 'node' in this example the "department" part.  

You can request this prefix via the service catalog.

Initial Group Prefix Naming Rules

We have several different requirements for initial group prefix names. These requirements are in place to help preserve the current and future group-subdomain namespace as well as to allow subdomain owners the first chance at a matching group prefix. Your group-prefix request should fall into one of the following cases:

A department requests a prefix that matches a DNS entry that they 'own'. Since the requestors are the owners of the subdomain there is no problem. IMCS will process the request and create the prefix.

Example: the Alumni Association requests a prefix of 'alumni'.

A department requests a prefix that matches a DNS entry that they do not 'own'

If the requested prefix matches a DNS subdomain entry but the requesters are not the owners of that subdomain, the requesters can either: a) Pick a different prefix or b) Have IMCS contact the owners of the subdomain in question and request its use as a group. In the latter case it will be up to the subdomain owners to approve/deny the request for that prefix.

Example: the English department requests a prefix of 'eng'. the Engineering department will need to approve/deny that request.

A department requests a prefix that does not match any DNS entry

In order to preserve the DNS namespace for future departments, group-prefixes that do not match any DNS subdomain will be given an additional prefix node of "nodns".

Example: the Entomology department requests the prefix "bugs". There is no matching DNS so they receive the prefix "nodns.bugs"

A department requests a prefix that does not match any DNS entry, but does not want their groups to have the "nodns" prefix

The initial group-prefix must either be a DNS entry or have "nodns" in front of it. DNS entries cannot be registered strictly for the purpose of obtaining a group.

Example: the Entomology department requests the prefix "bugs". There is no matching DNS so they must have nodns.bugs or another legitimate reason to first register the DNS entry. If they do become owners of the "bugs" subdomain they will receive the prefix "bugs" instead of "nodns.bugs"

 

Groups Terminology

Identity Management System (IDM) – A system composed of various components including the Enterprise Directory LDAP, web services, and middleware that is responsible for identity management.

Application Service (app service) – A software application providing a service to their users. In this case, one that uses the IDM as a service for authentication and authorization of Virginia Tech people

Web application – A software application that allows users to connect to it via the HTTP protocol. This is usually done with a standard client web browser.

ED-ID service – A registered/vetted/authorized service account used by application services. These services use client certificates to gain access to GMS.

Administrator (admin) – A user or service that is responsible for the creation of subgroups, assigning managers to groups, and changing group attributes such as expiration date, viewers, etc.

Manager (mgr) – A user or service that is restricted to adding and removing people to and from a group.

Contact Person (contact) – A user that maintains the visible sponsorship for a group as well as receiving email messages that pertain to that group such as group expiration, authorization information, etc. This person would be responsible for the agreements held between group owners and consuming application services.

Viewer – An ED-ID service that is allowed to see group data such as membership contained in another service's group.

Member – A person or group that is listed in the membership of a group

Group Name – The name of a group which consists of an alphanumeric string separated by periods.

Example in bold: irm.staff.softdev – a group of IMS staff members responsible for software development.

Group node name – The portion of the group name between two adjacent periods.
Example in bold: ims.staff.softdev

Group Prefix – The beginning of the group name up to the last period. This will determine whether or not an admin can create a group with a group prefix that is the name of a group that they administer.
Example in bold: irm.staff.softdev

Initial Group Prefix – The portion of the group name up to the first period
Example in bold: imcs.staff.softdev