Service Definition

Service Description

The group management service allows application developers and non-technical administrators to create and manage institutional and personal groups to be used for access control to University applications and resources.

The service is positioned to help complement the current access groups stored within the University’s Active Directory by making it possible to delegate access to resources based on institutional data. These groups can help reduce day to day administration of access control; for example, when a member of staff joins or leaves a department their access rights will be updated automatically.

It also reduces the need for numerous access lists for different resources and systems; one group can be set up and membership of that single group can control access to multiple resources.

The service also enables the provision of a more personalised service to users of systems. It can be used to control what users see so, for example, in an online timetable a student will only be shown information about modules that they are enrolled on.

Features

  • Corporate data groups which are based upon student and HR data are created and updated on a nightly basis. Some examples of which are:
    • Newcastle University organisational hierarchy
    • Student to module enrolments
    • Student to schools

These groups can be used to delegate access to resources, as they are automatically created/updated, it can help to reduce the administration involved in delegating access control. For example, as staff members leave/join a department this would automatically be reflected in group memberships.

  • Creation of user groups to represent groups of people which are not represented in Institutional data sources, eg research groups.
  • Provides a central location to create, manage and integrate groups with applications.
  • Integrated with the login gateway service to control access to web resources.
  • Groups are provisioned into the Active Directory to enable access to be restricted on corporate data. For example, access to the IT Service file store is determined based upon the IT Service organisational structure.
  • A simple user interface is available so that non-technical users are able to simply manage access groups.

Users

University members of staff who are systems administrators or application developers for official University systems can use this service.

External developers are able to make use of the service in the development of official University systems; a Newcastle University member of staff must be the main contact for any request.

Service Hours

Consultation, advice and guidance: 09:00-17:00, Monday to Friday, excluding University closure periods.

The interface and use of the groups is available 24 hours a day, 7 days a week.

The “at risk” period is 07:00-09:00 every Tuesday. Further planned maintenance times will be publicised in advance if there will be a disruption to the service.

Level of Service

Access to the interface is restricted to University members via the login gateway.

Where integration of group data is not available through the login gateway or the Active Directory, alternative methods are available the Institutional Data Feed Service.

The database containing group information is backed up on a nightly basis; in the scenario of a database outage it will take up to a day to restore the database.

If the database is unavailable, access to resources which use a combination of the group service and the login gateway would be temporarily unavailable. In this scenario the login gateway will be configured to query a backup of group memberships which will be hosted on another database server. This would allow for access to be restored within an hour.

During any database outage no updates can be made to the group memberships.

Support and Documentation

Group management tips, adivce use cases and information can be found on the Integration Services team blog: https://blogs.ncl.ac.uk/integration/category/group-management/

Principles, tips and good practice for Grouper administrators at Newcastle University: https://blogs.ncl.ac.uk/integration/2016/02/19/principles-tips-and-good-practice-for-grouper-administrators-at-newcastle-university/

Additional support is available via the IT Service Desk on 0191 208 5999 or it.servicedesk@ncl.ac.uk.

All incidents relating to this service will be handled according to the Incident Management and Major Incident Management processes.

Request Process

To start using the groups service:

  1. Email it.servicedesk@ncl.ac.uk declaring an interest in making use of the service.
  2. In the large majority of occasions, an initial meeting will be setup to provide a demonstration of the group service interface and to discuss possible use cases.
  3. If applicable, the appropriate areas and levels of access will be setup to allow the user to create and manage groups.

Requests for any other aspect of the service should be made via the IT Service Desk on 0191 208 5999 or it.servicedesk@ncl.ac.uk.

All requests relating to this service will be handled according to the IT Request Fulfilment process.

User Responsibility

Application developers/systems administrators are responsible for

  • The delegation of privileges to manage groups. They should ensure that only the appropriate users are able to administer group memberships.
  • The privileges on who can view/read/update/admin groups that they create.

Application developers/systems administrators are required to adhere to the group naming convention.

Costs

N/A