Administration
Groups
Grid Grouper: Administrators Guide | Developers Guide | caGrid: Documentation Guides
 |
 |
 |
 |
Table of Contents |
 |
 |
 |
 |
Overview
In Grouper/Grid Grouper, groups are organized into namespaces or stems. Stems are organized in a tree hierarchy starting with the root stem. Each stem can have a set of child stems and a set of child groups with exception to the root stem which cannot have any child groups. Groups are composed of a set of attributes describing the group, a set of members in the groups, and a set of privileges assigned to users for protecting access to the group. The table below describes the list of attributes used for identifying a group:
| Property |
Description |
|---|---|
| Group ID |
Unique identifier assigned to the Group by Grid Grouper. |
| Display Extension |
Display name of the group. |
| System Extension | System name of the group. |
| Display Name | Full display name of the group within the context of the grouper tree hierarchy. |
| System Name | Full System name of the group within the context of the grouper tree hierarchy. |
| Description | Description of the group. |
Groups in grid grouper support three types of memberships: (1) Directly adding a member, (2) Adding a subgroup to a group, (3) Making a group a composite of other groups. Directly adding a user as a member to a group is straightforward; these members are referred to as Immediate Members. Adding a subgroup to a group makes all the members of the subgroup members of the group in which the subgroup was added. Members in a group whose membership is granted by membership in a subgroup are referred to as Effective Members. A group can also be set as a Composite group. A composite group consists of a set operation (Union, Intersection, Complement) on two other groups. For example, a composite group consisting of the Intersection of Group X and Group Y would contain all the members that are members of both Group X and Group Y. Members whose membership is granted through a composite group are referred to as Composite Members.
To protect access to groups, Grid Grouper provides a set of privileges on each group, which can be assigned to individual parties. The privileges dictate how a party may interact with a group. The table below provides the complete list of group privileges provided by Grid Grouper:
| Attribute | Description |
|---|---|
| View |
Parties with this privilege may see that the group exists. |
| Read |
Parties with this privilege may see the members of the group and basic information identifying the group. |
| Update |
Parties with this privilege may manage the membership of this group as well as grant View, Read, and Update privileges. |
| Admin |
Parties with this privilege may administer all aspects of the group. |
| Optin |
Parties with this privilege may add themselves to the group. |
| Opout |
Parties with this privilege may remove themselves from the group. |
Privileges are specified using a party's grid identity. Thus Grid Grouper requires users to authenticate using their PKI credential in order for them to employ the privileges they were granted. Parties that authenticate with Grid Grouper that don't have any privileges or parties that connect to Grid Grouper anonymously inherit the privleges assigned to the GrouperAll user. By default, the GrouperAll is granted Read and View privileges on each group.
Viewing Groups
The GAARDS UI provides a mechanism for administrating groups. To view a group with the GAARDS UI complete the following steps:
|
|
On the right of the screen, a tab will open entitled with the group's name. This tab contains three sub tabs: (1) Details, (2) Privileges, and (3) Members. The Details tab contains information that identifies the group. The Privileges tab allows users with Update or Admin privileges to manage the privileges for the group. The Members tab allows users with Update or Admin privileges to manage the members of the group. The remainder of this section discusses the Details tab; the Privileges and Members tabs will be discussed later in this guide.
The Details tab contains attributes that identify the group, the table below lists and provides a description of each of its attributes:
| Attribute |
Description |
|---|---|
| Grid Grouper |
The URL of the Grid Grouper in which the group is contained. |
| Group ID |
Unique identifier assigned to the group by Grid Grouper. |
| Display Name |
Full display name of the group within the context of the grouper tree hierarchy. |
| System Name |
Full System name of the group within the context of the grouper tree hierarchy. |
| Display Extension | Display name of the group. |
| System Extension | System name of the group. |
| Created |
The date and time the group was created. |
| Created By |
The identity of the user that created the group. |
| Last Modified |
The date and time the group was last modified. |
| Last Modified By |
The identity of the user that last modified the group. |
| Description |
A description of the group. |
Of the attributes listed in the table, only the display extension and description may be updated. To update one of these attributes, make the desired modifications and click the Update button.
Managing Privileges
To protect access to groups, Grid Grouper provides a set of privileges on each group, which can be assigned to individual parties. These privileges dictate how a party may interact with a group. The table below provides the complete list of group privileges provided by Grid Grouper:
| Attribute | Description |
|---|---|
| View |
Parties with this privilege may see that the group exists. |
| Read |
Parties with this privilege may see the members of the group and basic information identifying the group. |
| Update |
Parties with this privilege may manage the membership of this group as well as grant View, Read, and Update privileges. |
| Admin |
Parties with this privilege may administer all aspects of the group. |
| Optin |
Parties with this privilege may add themselves to the group. |
| Opout |
Parties with this privilege may remove themselves from the group. |
The GAARDS UI provides a mechanism for granting and revoking the privileges on groups. To view all of the existing privileges of a group, complete the following steps:
|
|
This will list all the privileges granted on the group in the table below the Search button. Privileges are organized in the table by user. Users not listed in the table inherit the privileges assigned to the GrouperAll user. The GrouperAll user represents the default privileges of the group. When a group is created, the GrouperAll user has the View and Read privileges.
To grant or revoke privileges to a user with existing privileges, select the listing for that user in the table and click the View button. If you wish to grant privileges to a user that has not been granted privileges (not listed in the table), click the Add button. In either case the Group Privilege window will launch.
|
If you are granting privileges to users without any existing privileges (clicked the Add button), you will need to specify the user's grid identity in the Identity text box. Under the Identity text box are the privileges that can be granted or revoked on the group. To grant a privilege, select the check box for that privilege. To revoke a privilege, deselect the check box for that privilege. Once you have made the changes you desire, click the Update Privilege(s) or the Add Privilege(s) button. The privileges you granted or revoked will immediately take effect. |
|
Managing Members
Grid Grouper supports three types of group membership:
- Immediate Membership - Directly adding a member to a group.
- Effective Membership - Adding an existing group to a group as a subgroup. Adding a subgroup to a group makes all the members of the subgroup members of the group to which the subgroup was added. Members in a group whose membership is granted by membership in a subgroup are referred to as Effective Members.
- Composite Membership - Membership is based on a set operation (Union, Intersection, or Complement) on two other groups. For example a composite group consisting of the Intersection of Group X and Group Y would contain all the members that are members of both Group X and Group Y. Members whose membership is granted through a composite group are referred to as Composite Members.
The GAARDS UI provides a means of listing, adding, and removing members from groups. To view the members of a given group, complete the following steps:
|
|
After the search has completed, all the members of the group will be listed in the table below the search button.
 | You can search by type of membership by selecting a type of membership from the drop-down menu next to the search button. |
Adding Members
Before adding members to a group, you must first complete the following steps to navigate to the group:
|
|
To add a member to the group, click the Add button. This launches the Add Member dialogue.
The next step involves choosing one of three ways to add members to a group:
- Add an individual member.
- Add the members of another group.
- Add a composite of two groups (their union, intersection or compliment).
Which of these three methods to use is determined by the value selected in the Member Type field. Each of these methods is described under the following headings.
Add an Individual Immediate Member to a Group
|
To add an individual identity to a group, in the Member Type field select the value "User". If you know the grid identity that you want to add to the group, you can just type it into the Member Identity field. If you don't know the grid identity or would prefer to find and copy the identity from Dorian's database, you can click on the Find button. This initiates a dialog to perform a user search. After you have finished using the user search dialog to select a user, the Member Identity field is filled in automatically. Click the Add button. The specified user is added to the group and the Add Member Dialog disappears. |
|
Add Members of a Group to a Group
|
|
|
Add a Composite of Two Groups to a Group
|
If you want to add the union, intersection or compliment of two other groups to a new group, select the value Composite in the Member Type field. Select the two groups that upon which the composite should be based. Also, select the set operation to be performed on the two other groups to compute the composite. Click on the Add button. The Add Member Dialog disappears and the members of the composite group are added to the group. |
|
Removing Members
To remove a member from a group, select the member from the members table and click the Remove button.
Membership Requests
In previous versions of Grid Grouper, if a user wanted to join a group the user would either contact the administrator to be manually added or the administrator would have to enable the opt-in privilege on the group. There was no way with GAARDS or Grid Grouper for the user to request access to a group. The ability for a user to request to join a group has been added to Grid Grouper 1.4.
Enabling Membership Requests
Since membership requests are a new feature, the ability for a user to request to join a group must be enabled by the group's administrator.
Browse to the group
Open the Group in the Group Browser
Select the Membership Requests tab.
Click the "Enable Membership Requests"
If a administrator wants to disable membership requests, click the "Disable Membership Requests" When membership requests are disabled all pending requests are rejected.
Processing Membership Requests
Browse to the group
Open the Group in the Group Browser
Select the Membership Requests tab.
Select the type of search you want from the drop down and click "Search"
Handling Pending Membership Requests
Select the membership request you want to review
Click the "Review Request" button
Provide any general or administrative notes in the the appropriate field
Click "Approve" or "Reject" to update the status of the user
Rejected Membership Requests
Select the membership request you want to review
Click the "Review Request" button
Provide any general or administrative notes in the the appropriate field
Removed Memberships
If a user joined a group via the membership requests feature and is later removed from the group, the membership request is changed from approved to removed.