Survey Strategy and Goals
The intent of this survey is to collect feedback from a variety of institutions and organizations within higher education about their current Directory Group usage in LDAP, their current and anticipated needs for Directory Groups, and what gap(s) they see between the tools they currently have at their disposal and what would meet their needs. Our aim is to then use the results of the survey process to inform our thinking about Directory Group tools and to measure existing tools with an eye toward making them as widely useful as possible.
Survey Frozen 12-January-2009
The survey below has been entered into SurveyMonkey for data collection, in its final form as of this date. Please direct questions or comments to Steve Olshansky <steveo AT internet2 DOT edu>
Below are the beginnings of the survey, containing questions that have been thought of by members of the MACE-Dir Working Group. If you have any comments, suggestions, corrections, additional questions, etc. that you feel are appropriate, please feel free to edit this document directly. We only ask that you comment on any changes you make so that we can keep track of the rationale for changes as they are made.
Directory groups can be used for provisioning and authorization.
For those using groups in LDAP:
- What directory product or product(s) are you using?
- If you are using more than one product, are you synchronizing them, and if so, how?
- Are the standard object classes sufficient for your needs?
- Are you using static groups, dynamic groups (groups who's membership changes based on data in the directory), or a mixture of both? Why?
- If you are using static groups, how do you go about generating them? Are they on an as-needed basis? Are they created by hand? Is there an automatic tool that creates the base structure for you?
- If you are using dynamic groups, how do you go about generating them? Are they created dynamically, or just populated dynamically? Are they created/populated from basic LDAP filters, or is more complex coding required?
- Do you use groups for authorization, base authorization on attributes, or release attributes to applications for the applications to determine if a user is authorized?
- If you use groups for roles, then how, if you do, do you address exceptions to the roles/group membership?
- How many groups do you have in LDAP?
- Do your group memberships include "external" people? ("external people" meaning people that do not exist in your local authentication management system.) If so, how do you link them to the group?
- Are your end users able to create groups directly or do they need to request to have one created by central IT staff?
- How do you handle removing deleted users from a group?
- How many members does your largest static group have? How is this large membership maintained?
- Do you have groups that mirror affiliations - such as an alum affiliation and an alum group?
- Do you maintain group memberships based on data provisioned from other systems of record (e.g. course groups or student major groups from your student information system, or employee groups from your HR/Payroll system)? If so, please describe.
- Do you support protected group memberships (where not everyone can view the membership)? If so, what are the security and/or compliance drivers for protecting them (e.g. FERPA)?
- How do you handle group naming policy? Do you allow special characters, alphanumeric characters only, spaces? How many characters do you allow the group name to be?
- Are users allowed to choose their own group names (via delegated naming authority), or are they assigned by a central authority (such as your help desk)?
- Are users able to manage and change their group membership on their own?
- Are people allowed to create groups that they are not members of?
- What are the top 3 tools you would like to see available for group management?
- What other issues do you currently have with group management?
- Do you encourage group reuse where applicable, for example - two groups have identical memberships based on similar or identical membership rules such that only one of the groups is actually necessary? If so, how do you detect the similarities?