Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Skip to section on naming groups and stems

Info

The TIER  The Grouper Deployment Guide uses terms described in this document: NIST 800-162 doc

...

       TERM

DEFINITION

UI Translation (where applicable)

Access Privileges

Privileges that determine what a Subject can do with a Group. They are:

  • ADMIN - can assign access privileges and manage all group information,
  • UPDATE - can manage membership of the group (implies VIEW),
  • READ - can see the membership of the group (implies VIEW), and
  • VIEW - can see the group. 
  • GROUP_ATTR_READ - can read attributes assigned to the group.  Note that the subject must also have ATTR_READ privilege on the attributeDef.
  • GROUP_ATTR_UPDATE - can assign attributes to the group.  Note that the subject must also have ATTR_UPDATE privilege on the attributeDef.
    In addition, a group may have options for its members to:
  • OPTIN - can add self to the membership, and
  • OPTOUT - can remove self from membership.

Subject is a UI "entity"

Attribute

Grouper supports two broad categories of attributes:

1.  Attributes used to attach metadata to various objects in the registry. For information see the Attribute Framework documentation.

2. A single-valued string associated with a Group or a Naming Stem. By default, Grouper supports six of these attributes:

  • id - a Grouper-assigned, globally unique identifier.
  • extension- the relative name of the group or naming stem within its parent naming stem; the contribution of a single element, such as a group or a naming stem, to the cumulative name.
  • name - used to facilitate searching for groups by name, it is a read-only string representation of the logical ordered pair of (parent stem, extension). This attribute is system-maintained. The string representation of the name attribute is: <parent stem>:<extension>.
  • displayExtension - a displayed form of the extension.
  • displayName- used to facilitate searching for groups by the displayed name, it is a read-only string representation of the logical ordered pair of (displayName of parent stem, displayExtension). This attribute is system-maintained. The string representation of the displayName attribute is: <displayName of parent stem>:<displayExtension>.
  • description - a description of the group or naming stem.
  • id is the UI "UUID"
  • extension is the UI "ID"
  • name is the UI "ID path"
  • displayExtension is the UI "name"
  • displayName is the UI "path"

Composite Group

A Group whose Membership is determined by combining the membership lists of two other groups, without listing its members explicitly. These two groups are called its Factor Groups. Three methods of combining the factor groups' memberships are supported:

  • union - all subjects must be a member of one OR the other factor group,
    e.g., Group Z = members of either Group X OR Group Y, or Z = X U Y.
  • intersection - all subjects that are members of the first factor group AND the second factor group,
    e.g., Group Z = members of both Group X AND Group Y, or Z = X ∩ Y.
  • relative complement - all members of the first factor group that are NOT members of the second factor group.
    e.g., Group Z = members of Group X AND NOT Group Y, or Z = X - Y.

 


Direct Membership

A Subject that is listed in the Membership list of a Group has a direct membership in the group. Also see Indirect Membership.

Subject is a UI "entity"

Factor Group

A Group in combination (union, intersection, or relative complement) with that of another factor group, which defines the membership of a resulting Composite Group.

 


Folder

A place to organize objects in Grouper, most commonly a place to contain groups. Also called a Stem or Naming Stem.

 


Group

A list of Subjects having Membership in the group, together with other attributes about the group. A list can have zero or more entries. In Grouper, a list contains only subject references, and an attribute is a single-valued string. A group must be created in an existing Naming Stem (or just Stem). If a group is made a member, i.e., a Subgroup, of another group, the members of the group will also be made members. By default, a Grouper group has:

  • six naming Attributes,
  • a description attribute, and
  • a members list.
    This information model can be extended to include additional site-defined attributes and lists.

naming stem is a UI "folder"

Group Math

Any combination of groups for the purpose of creating another group based on the memberships of those groups. See Composite Group.

 


Indirect Membership

A Subject that is a member of a Subgroup of a Group, or a member of a Factor Group that contributes positively to a group's membership, has an indirect membership in the group. Also see Direct Membership.

 


List

A multi-valued list of Subject references. The direct members of a group are the values of the group's members list. Lists are also used to identify which subjects have which Naming or Access Privileges.

 


Member

Any Subject in the membership list of at least one group. Also, a Member of a Group is any Subject with a Direct or Indirect Membership in the Group.

 


Membership

The direct-only, indirect-only, or direct plus indirect members of a Group. A specific variety of membership is determined by context or configuration, i.e., the default User Interface allows the user to select among these three types of membership where appropriate.

 


Naming Privileges

These privileges determine what a Subject can do with a Naming Stem. They are:

  • CREATE - can create groups, attributes, and subfolders in the stem.
  • ADMIN - can create groups, attributes, and subfolders in the stem.  Also can delete the stem or assign any privilege to any entity.
  • STEM_ATTR_READ - can read attributes assigned to the stem.  Note that the subject must also have ATTR_READ privilege on the attributeDef.
  • STEM_ATTR_UPDATE - can assign attributes to the stem.  Note that the subject must also have ATTR_UPDATE privilege on the attributeDef.

Naming privileges are now referred to as Creation privileges.

Naming Stem

Anchor
namingstem
namingstem
A string that forms the leading part of a Group's name. By linking the ability to create groups to a specified naming stem (via the CREATE privilege), the possibility that different groups can be given the same name is substantially reduced, and the name of each group can be made to reflect something about the authority under which it was created.
...see Examples below.

Stem is a UI "folder"

Stem

A synonym for a Naming Stem.

Stem is a UI "folder"

Subgroup

A Group that is a Direct Member of another group.

 


Subject

An abstraction of any object whose Memberships are to be managed by Grouper. Most Grouper deployments will manage subjects that represent people and groups, but computers, accounts, services, or any other type of object maintained in a back-end identity store may be presented as subjects to Grouper by use of the Subject API.

Subject is a UI "Entity"

Subject Source

One of the configured (generally external) places where subjects (entities) can be looked up and added to groups or assigned permissions.  Each source has an unchanging and unique ID.

 


Subject Id

This is an unchanging (generally opaque) identifier that will be stored in the Grouper database (along with subject source id) to represent each subject when it is used (e.g. added to a group or assigned permissions).  This ID must be unique in the source.  Note: if removing an unresolvable subject from a group, this is the only way to reference the subject.

 


Subject Identifier

This is an attribute of the subject which can be used to identify the subject.  Note, the Subject ID should not also be a Subject Identifier.  This is not used in the Grouper database to lookup users, and can change.  Examples of this are: netID and EPPN.

 


Type

There are a few uses for this term in Grouper.

  • Type is used in Grouper 2.4 patch Grouper 2.4 patch (grouper_v2_4_0_api_patch_13) to allow you to tag an object. https://spaces.at.internet2.edu/x/5QI3C
  • Group Type - (deprecated in Grouper 2.2 and above, but functionality still supported using the Attribute Framework.)  Each Group has one or more group types associated with it. The Grouper distribution contains support for a single group type called "base", but sites may register additional types, together with the attributes and lists associated with them, within their Grouper installation. Doing so enables management of groups with a richer information model or a more diverse set of information models.  Note, the addition of "Role" to Grouper adds a field on Groups called typeOfGroup which can be "group", "role" (group which can have permissions assigned), and "entity" (group object which cannot have members and is used for example as an application principal
  • Subject Type - the Subject API v0.2.1 that Grouper 1.0 relies on uses the notion of a subject type, such as "person", "group", or "computer", etc.

 


Anchor
naming
naming

Examples

...