You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

COmanage Groups (CO Groups) are defined at the CO level, and CO Group Memberships attach to the CO Person. CO Groups are fairly basic, for more sophisticated needs COmanage can be connected to Grouper using the Grouper Provisioning Plugin. By default, any CO Person can create a new CO Group.

CO Group Attributes

Open vs Closed

An open group is one that allows anyone to join. Participants can self-join, no administrator action is required. Memberships in a closed group can only be set by the group owner.

In addition, CO Administrators can manage any CO Group within their CO.

Automatic Groups

Automatic Groups are those which Registry automatically manages the memberships of. 

CO Group Membership Attributes

Member vs Owner

A group member is simply a participant in the group. A group owner has permission to add and remove members to and from the group, including closed groups. A CO Person can be a member, and owner, both, or neither.

The CO Person who creates a CO Group is automatically set as both a member and owner of the new group.

Special CO Groups

Admin Groups

Admin Groups are used to determine Registry Administrators. Admin Groups are automatically created when a CO or COU is created. The Platform Administrator typically sets the initial CO Administrator, and then the CO Administrators.

Since v2.0.0:

  • The admin group is indicated by the group type GroupEnum::Admins and a null cou_id. The default name for the group is CO:admins.
  • The admin groups for COUs are indicated by the group type GroupEnum::Admins and a non-null cou_id. The default name for COU admin groups is CO:COU:COU_Name:admins.

Prior to v2.0.0:

  • The admin group determines CO Administrators.
  • Groups of the form admin:couname determine COU Administrators.

Members Groups

Members Groups are automatic groups that are updated with all members of the CO or COU. Members Groups are automatically created and updated.

Since v2.0.0:

  • Members of the CO in Active or Grace Period status are available in the group identified by the group type GroupEnum::ActiveMembers and a null cou_id. The default name for the group is CO:members:active.
  • All members of the CO (except those in Deleted status) are available in the group identified by the group type GroupEnum::AllMembers and a null cou_id. The default name for the group is CO:members:all.
  • Members of a given COU with an Active or Grace Period status role are available in the group identified by the group type GroupEnum::ActiveMembers and a non-null cou_id. The default name for the group is CO:COU:COU_Name:members:active.
  • All members of a given COU (except those with only roles in Deleted status) are available in the group identified by the group type GroupEnum::AllMembers and a non-null cou_id. The default name for the group is CO:COU:COU_Name:members:all.

Prior to v2.0.0:

  • The members group holds all CO People within the CO.
  • Groups of the form members:couname hold all CO People with a role in the specified COU.

CO Group Memberships and Enrollment

CO Group Memberships can be added as part of an Enrollment Flow by adding an attribute of the appropriate type. For more details, see Registry Enrollment Flow Configuration.

CO Group Memberships can also be added via Organizational Identity Sources when connected to Pipelines.

Nested Groups

As of Registry v3.3.0, Nested Groups allow the members of one group (the "nested" or source group) to automatically be included as members of another group (the "target" group). Nested Groups only confer group membership, they cannot be used to manage group ownership. Currently, Nested Groups are additive only, it is not possible to specify certain members to be excluded from the target group (CO-1585).

To nest a group, edit the target group and click (plus) Add Nested Group. Select the desired source group.

Nested Groups do not imply any sort of hierarchy (CO-1223).

Group Reconciliation

In general, nested group memberships and memberships of automatic groups are updated in real time as needed. However, If an automatic group or a group with nested groups appears to have incorrect group memberships, the group may be manually reconciled to fix incorrect memberships. To reconcile a group, edit the desired group and click Reconcile

See Also

  • No labels