Problem
A service is offered to a group of people and those people need to be specifically authorized to use the service. There are several variants of this simple problem: different groups might have different privileges within the service; multiple "Registrars" might be authorized to grant privileges to people.
The groups of people involved might be departments, teams, or people from within one department who have different roles relative to the application. They are self-identified, in that the organization does not track who belongs to each group. Only they know who they are. Typically, someone in authority assigns individuals to the appropriate group
Solution
Create a group with a membership of the people authorized to use the service. If there is a need to support different privileges within the service, create multiple groups that map to the various Roles within the application. If there are multiple Registrars, give all of them the authority to manage group membership, or create separate groups for each of them to manage.
Examples
- The Residential Life Office relies on an application to support their business. It tracks who is assigned to each dorm room, requests for room changes, feeds into the campus billing system, and supports other tasks within the Office. The Director assigns people to groups based on their job responsibilities; a system administrator manages the directory to implement those assignments; some full time staff can change room assignments; other staff have read-only access to the DB; student employees have read-only access and can only see some fields.
- Wireless access privileges are to be given to guests of the University so they can access email, etc, while on campus. The Library, the Faculty Club, Residence Halls, and the International House are gateways for University guests. The Guest Network ID administrative application is to be provided to appropriate staff in each of those areas to enable them to manage Guest Network IDs for guests. The service in this case is the Guest Network ID administrative application, and its users are those who register guests in each area.
Graphic (click on it to view full size)
