Include Page | ||||
---|---|---|---|---|
|
Grouper Glossary
Terms with Grouper-specific meaning are defined below, along with other Grouper concepts. An understanding of these terms will enable you to take full advantage of all that Grouper has to offer.
As of v1.3.0, Grouper terminology used in the Grouper UI differs from some of the terms defined below to help the UI to present group management tasks in a manner more readily understandable by non-technical users. The terminology used in developer and system administrator oriented documentation remains unchanged.
Skip to section on naming groups and stems
See also Grouper Provisioning Glossary
Info |
---|
The Grouper Deployment Guide uses terms described in this document: NIST 800-162 doc |
TERM | DEFINITION | UI Translation (where applicable) |
---|---|---|
Access Privileges | Privileges that determine what a Subject can do with a Group. They are:
| Subject is a UI "entity" |
Attribute | Grouper supports two broad categories of attributes:
|
|
Composite Group | A Group whose Membership is determined by combining the membership lists of two other groups, without listing its members explicitly. These two groups are called its Factor Groups. Three methods of combining the factor groups' memberships are supported:
|
Field
Either an Attribute (prior to Grouper 2.2 only) or a List. Grouper groups are a collection of attributes and lists, i.e., a collection of fields. The set of fields attached to a given group is a function of the set of Group Types it has been assigned. Note: in Grouper 2.2 and above, Attributes will no longer be implemented as fields, they will be implements by the new attribute framework.
Direct Membership | A Subject that is listed in the Membership list of a Group has a direct membership in the group. Also see Indirect Membership. | Subject is a UI "entity" |
---|---|---|
Factor Group | A Group in combination (union, intersection, or relative complement) with that of another factor group, which defines the membership of a resulting Composite Group. |
Folder | A place to organize objects in Grouper, most commonly a place to contain groups. Also called a Stem or Naming Stem. |
---|
Group | A list of Subjects having Membership in the group, together with other attributes about the group. A list can have zero or more entries. In Grouper, a list contains only subject references, and an attribute is a single-valued string. A group must be created in an existing Naming Stem (or just Stem). If a group is made a member, i.e., a Subgroup, of another group, the members of the group will also be made members. By default, a Grouper group has:
| naming stem is a UI "folder" |
---|---|---|
Group Math | Any combination of groups for the purpose of creating another group based on the memberships of those groups. See Composite Group. |
Indirect Membership | A Subject that is a member of a Subgroup of a Group, or a member of a Factor Group that contributes positively to a group's membership, has an indirect membership in the group. Also see Direct Membership. |
---|
List | A multi-valued list of Subject references. The direct members of a group are the values of the group's members list. Lists are also used to identify which subjects have which Naming or Access Privileges |
---|
. |
Member | Any Subject in the membership list of at least one group. Also, a Member of a Group is any Subject with a Direct or Indirect Membership in the Group. |
---|
Membership | The direct-only, indirect-only, or direct plus indirect members of a Group. A specific variety of membership is determined by context or configuration, i.e., the default User Interface allows the user to select among these three types of membership where appropriate. |
---|
Naming Privileges | These privileges determine what a Subject can do with a Naming Stem. They are:
|
---|
| Naming privileges are now referred to as Creation privileges |
. | ||||||||
Naming Stem |
...see Examples below. | Stem is a UI "folder" | ||||||
---|---|---|---|---|---|---|---|---|
Stem | A synonym for a Naming Stem |
or Folder | Stem is a UI "folder" |
Subgroup | A Group that is a Direct Member of another group. |
---|
Subject | An abstraction of any object whose Memberships are to be managed by Grouper. Most Grouper deployments will manage subjects that represent people and groups, but computers, accounts, services, or any other type of object maintained in a back-end identity store may be presented as subjects to Grouper by use of the Subject API. | Subject is a UI "Entity" |
---|---|---|
Subject Source | One of the configured (generally external) places where subjects (entities) can be looked up and added to groups or assigned permissions. Each source has an unchanging and unique ID. |
Subject Id | This is an unchanging (generally opaque) identifier that will be stored in the Grouper database (along with subject source id) to represent each subject when it is used (e.g. added to a group or assigned permissions). This ID must be unique in the source. Note: if removing an unresolvable subject from a group, this is the only way to reference the subject. |
---|
Subject Identifier | This is an attribute of the subject which can be used to identify the subject. Note, the Subject ID should not also be a Subject Identifier. This is not used in the Grouper database to lookup users, and can change. Examples of this are: netID and EPPN. |
---|
Type | There are |
---|
a few uses for this term in Grouper.
|
Anchor | ||||
---|---|---|---|---|
|
Examples
Step 1: Create a Root
...
Folder
In the example below, a root naming stem folder is first created. Note: creating a naming stem folder is required prior to the creation of any groups.
Naming Stem uofc
attribute | value |
---|
folder | empty |
extension | uofc |
displayExtension | The University Of Chicago |
name | uofc |
displayName | The University Of Chicago |
Step 2: Create a Group
Next, a group may be created using the "uofc" naming stemfolder.
Group uofc:exec_council
attribute | value |
---|
folder | uofc |
extension | exec_council |
displayExtension | Executive Council |
name | uofc:exec_council |
displayName | The University of Chicago:Executive Council |
Step 3: Create a Subordinate
...
Folder and Group
Name and displayName values propagate down through subordinate naming stems, e.g the Biological Sciences Division within U of C:
Naming Stem Folder uofc:bsd
attribute | value |
---|
folder | uofc |
extension | bsd |
displayExtension | Biological Sciences Division |
name | uofc:bsd |
displayName | The University Of Chicago:Biological Sciences Division |
Again, a group is created, e.g., the Enterprise Information Systems staff, with the above naming stem, and is displayed as follows:
Group uofc:bsd:eis_staff
attribute | value |
---|
folder | uofc:bsd |
extension | eis_staff |
displayExtension | Enterprise Information Systems staff |
name | uofc:bsd:eis_staff |
displayName | The University Of Chicago:Biological Sciences Division:Enterprise Information Systems staff |