UCLA's Grouper group management service provides enterprise-level (and domain-specific) group definition and management. A key design component is a naming plan for groups that supports the campus-wide scope of the service. Such plan enables an organized service growth and promotes effective reuse of common groups. This document specifies a group naming plan for the IAMUCLA Grouper Service, including syntax and top-level name components.
Concepts and Terminology
IAMUCLA Group IDs
This guide specifies group names, called IAMUCLA Group IDs, that are in the style of commonly used internet identifiers such as email addresses, and web URLs. That is, they are: relatively short; typically meaningful to humans but not full English words; and normally writable as ASCII strings without white space. Such identifiers are intended to fit in easily where these other identifiers typically are found. Note, however, that the names in this plan are not themselves email addresses, or URLs/URIs; there are mappings to/from those forms in some cases.
This naming guide does not preclude the implementation of additional naming plans, for example a plan with longer names with a larger character set.
Namespaces, Folder (Stem), and Naming Authorities
IAMUCLA operates the IAMUCLA Grouper Services using a delegated administration model. A potentially large number of authorized parties may create, hence name, groups. To avoid conflicts, and to avoid the need for an approval process for each proposed group name, a hierarchical naming scheme is used. This is similar to other environments where large-scale distributed naming is needed (e.g. DNS, file systems).
Using the terminology promoted in the Internet2 Grouper project, specific group namespaces are referred to as "folders", also known as stems in older releases of Grouper. A folder is created for the purpose of creating and managing groups (and other stems) based on it, and to control access to these operations. In newer versions of Grouper, a stem is also called folder. The entity (or entities) responsible for managing a stem is a "naming authority" for that stem. A naming authority may delegate control of namespaces based on its stem to other naming authorities.
A subject, in this guide, specifically refers to a unique entry identified in UCLA's Enterprise Directory. For the most part, this should be a person. (Although that is likely changing in 2014).
ID Path Syntax
A Grouper ID Path is the fully qualified unique identifier of a group or folder in Grouper. It is a sequence of name components, by convention written left-to-right from highest-level to lowest-level naming authority. Name components are written separated by a delimiter character.
Character set: Name components are limited to lowercase letters (a-z), digits (0-9), dash ("-"), and period (".") characters.
Delimiter: The delimiter between components is colon (":").
Note that a particular name may be used both as the name of a group and as a folder on which other group names are based. For example, the name
might both be used as a group (i.e., have a member list and be used in group expression contexts) and as a folder for more group names, for example:
ucla:partners:foo (foo is a group in the partners folder, which is in the ucla folder)
ucla:partners:bar (bar is a group in the partners folder, which is in the ucla folder)
IAMUCLA (acting as institutional group naming authority) manages the top-level folder namespace. Top-level folder can be created as needed, based on discussion with stakeholders and establishment of clear definition and requirements. Like any folder, a top-level stem must have a well-defined naming authority to manage it.
Syntax of names under each stem can be further constrained.
Grouper Control Folder
A top-level folder:
is established to name groups used by Grouper's internal processes to manage access and configuration. the etc folder and its sub folders and groups are exclusively managed by the IAMUCLA team. It's management authority cannot be delegated.
UCLA Affiliation/Organization Folder
Because UCLA provides business transaction and technology support for other UC campuses, we may create top level folders to manage groups for other campuses and affiliate organizations. A top-level folder:
is created to hold all UCLA folder and groups. The IAMUCLA team is the naming authority for the ucla folder. It delegates naming authority of sub folders to recognized and registered UCLA organizations and programs. Where applicable, the delegation is done inline with domain name registration authority delegation, i.e., we delegate a folder named "bruinbill" to the group who own/manage the bruinbill.ucla.edu internet domain name.
Reserved folders - Within the ucla folder, the IAMUCLA team reserves several "enterprise" level sub-folders:
For a complete listing and additional details to all UCLA-registered Grouper folders, see UCLA Grouper Folder Registry [OBSOLETE].
Registering Groups and Stems
The IAMUCLA team administers the process for registering groups and folders under the ucla stem. To register a folder in the UCLA space, please contact Wu, Albert.
Representing Grouper Names as URI's
For use in URI contexts a URI namespace is assigned in UCLA's URN namespace:
A group URI is formed by appending the short-form group name to that namespace. For example, given the short-form group name:
the URI form is:
Note that because the UCLA namespace already coveys this is UCLA, we skip the ucla top-level stem when forming the URN. To name a folder not in the ucla folder, for example,
the URI forms are: