[Home] [About] [News] [FAQ] [Software] [Documentation] [Contact]
Terms with Grouper-specific meaning are defined below, along with other Grouper concepts. An understanding of these terms will enable you to take full advantage of all that Grouper has to offer.
Access PrivilegesPrivileges that determine what a Subject can do with a Group. They are:Attribute
- ADMIN - can assign access privileges and manage all group information,
- UPDATE - can manage membership of the group (implies READ),
- READ - can see the membership of the group (implies VIEW), and
- VIEW - can see the group.
In addition, a group may have options for its members to:
- OPTIN - can add self to the membership, and
- OPTOUT - can remove self from membership.
A single-valued string associated with a Group or a Naming Stem. By default, Grouper supports six attributes:Composite Group
- id - a Grouper-assigned, globally unique identifier.
- extension - the relative name of the group or naming stem within its parent naming stem; the contribution of a single element, such as a group or a naming stem, to the cumulative name.
- name - used to facilitate searching for groups by name, it is a read-only string representation of the logical ordered pair of (parent stem, extension). This attribute is system-maintained. The string representation of the name attribute is: <parent stem>:<extension>.
- displayExtension - a displayed form of the extension.
- displayName - used to facilitate searching for groups by the displayed name, it is a read-only string representation of the logical ordered pair of (displayName of parent stem, displayExtension). This attribute is system-maintained. The string representation of the displayName attribute is: <displayName of parent stem>:<displayExtension>.
- description - a description of the group or naming stem.
A Group whose Membership is determined by combining the membership lists of two other groups, without listing its members explicitly. These two groups are called its Factor Groups.Direct Membership
Three methods of combining the factor groups' memberships are supported:
- union - all subjects must be a member of one OR the other factor group,
e.g., Group Z = members of either Group X OR Group Y, or Z = X U Y.
- intersection - all subjects that are members of the first factor group AND the second factor group,
e.g., Group Z = members of both Group X AND Group Y, or Z = X ∩ Y.
- relative complement - all members of the first factor group that are NOT members of the second factor group.
e.g., Group Z = members of Group X AND NOT Group Y, or Z = X - Y.
A Subject that is listed in the Membership list of a Group has a direct membership in the group. See Indirect Membership.Factor Group
A Group in combination (union, intersection, or relative compliment) with that of another factor group, which defines the membership of a resulting Composite Group.Group
A list of Subjects having Membership in the group, together with other attributes about the group. A list can have zero or more entries. In Grouper, a list contains only subject references, and an attribute is a single-valued string. If a group is made a member, i.e., a Subgroup, of another group, the members of the group will also be made members. A group must be created in an existing Naming Stem. By default, a Grouper group has:Group Math
- six naming Attributes,
- a description attribute, and
- a members list.
This information model can be extended to include additional site-defined attributes and lists.
Any combination of groups for the purpose of creating another group based on the memberships of those groups. See Composite Group.Indirect Membership
A Subject that is a member of a Subgroup of a Group, or a member of a Factor Group that contributes positively to a group's membership.List
MemberA multi-valued list of Subject references. The direct members of a group are the values of its members list. Lists are also used to identify which subjects have which Naming or Access Privileges. Sites can extend a group type to include other lists; however, their semantics are external to Grouper. See Group.
Any Subject within the membership list of a group; a member may be a person, group, application, service, etc., as configured per Grouper installation.Membership
The direct-only, indirect-only, or direct plus indirect members of a Group. A specific variety of membership is determined by context or configuration, i.e., the default User Interface allows the user to select among these three types of membership where appropriate.Naming Privileges
These privileges determine what a Subject can do with a Naming Stem. They are:
Naming Stem
- CREATE - can create a group(s) named with a naming stem, and
- STEM - can assign who has CREATE for the naming stem, and can create naming stems subordinate to this one.
StemA string that forms the leading part of a Group's name. By linking the ability to create groups to a specified naming stem (via the CREATE privilege), the possibility that different groups can be given the same name is substantially reduced, and the name of each group can be made to reflect something about the authority under which it was created.
...see Examples below.
A synonym for a Naming Stem.Subgroup
A Group that is Listed as a member of another group.Subject
An abstraction of any object whose Group Memberships are to be managed by Grouper. Most Grouper deployments will manage subjects that represent people and groups, but computers, accounts, services, or any other type of object maintained in a back-end system may be presented as subjects to Grouper by use of the Subject API.Type
There are two distinct uses for this term in Grouper.
- Group Type - each Group has one or more group types associated with it. The Grouper distribution contains support for a single group type called "base", but sites may register additional types, together with the attributes and lists associated with them, within their Grouper installation. Doing so enables management of groups with a richer information model or a more diverse set of information models.
- Subject Type - the Subject API uses the notion of a subject type, such as "person", "group", or "computer", etc.
In the example below, a root naming stem is first created. Note: creating a naming stem is required prior to the creation of any groups.
| naming stem, uofc | |
|---|---|
| attribute | value |
| parent stem | |
| extension | uofc |
| displayExtension | The University Of Chicago |
| name | uofc |
| displayName | The University Of Chicago |
Step 2: Create a Group
Next, a group may be created using the "uofc" naming stem.
| group, uofc:exec_council | |
|---|---|
| attribute | value |
| parent stem | uofc |
| extension | exec_council |
| displayExtension | Executive Council |
| name | uofc:exec_council |
| displayName | The University of Chicago:Executive Council |
Step 3: Create a subordinate Naming Stem and Group
Subsequent display values now propagate down through subordinate namespaces as well, e.g the Biological Sciences Division within U of C:
| naming stem, uofc:bsd | |
|---|---|
| attribute | value |
| parent stem | uofc |
| extension | bsd |
| displayExtension | Biological Sciences Division |
| name | uofc:bsd |
| displayName | The University Of Chicago:Biological Sciences Division |
Again, a group is created, e.g., the Enterprise Information Systems staff, within the above naming stem, and is displayed as follows:
| group, uofc:bsd:eis_staff | |
|---|---|
| attribute | value |
| parent stem | uofc:bsd |
| extension | eis_staff |
| displayExtension | Enterprise Information Systems staff |
| name | uofc:bsd:eis_staff |
| displayName | The University Of Chicago:Biological Sciences Division:Enterprise Information Systems staff |