A group in the directory is just a list of CRSids identifying people who have some particular authorisation, rights or membership. In principle it is of very broad application, but it is not directly connected with other groups in the University such as research groups.
The basic groups associated with an institution, and created when the institution first appears in Lookup, are the membership list and the editing group. Members of the editing group have control over the institutional data that appears in the directory; for example contact data for, and membership of, the institution. All other groups are set up in the first place by institutions (that is, by the editing group for the institution). Groups may subsequently be adopted or disowned by institutions, so that a group can belong to any number of institutions from zero upwards.
Every group, of whatever kind, has one or more "management groups" which control membership of the group and other details such as the group's title. Many groups manage themselves, but it is also often appropriate, especially for large groups such as the entire membership of an institution, to restrict the power to add and remove members of a group to a smaller set of individuals. Managers need not themselves be members of the group they manage. Membership is controlled solely by the group managers; you cannot add yourself or remove yourself from a group.
The web interface to the directory allows institutional editors to create groups, and individuals to see their own group membership (and to control the visibility of information about that membership, if they wish). It is also possible to search for groups and to see basic information about any group. It is expected that most of the use of groups to control privileges will be managed through LDAP queries.
Contacting a group
To make contact with a group, use the email address shown on the main group page. All editors' groups (and ideally most others) should provide an email address; if there is no email address you will need to contact firstname.lastname@example.org to find out how to contact someone in the group.
Any group in the directory has a set of directory pages of its own, of which the main page shows the following:
- The unique numeric identifier for the group
- A group title
- A description
- Membership visibility, which may be "within the University", "group members and managers", or "managers only"
- An email address (optional but strongly recommended)
- A last updated date
- The title(s) of the management group(s) for this group
- a list of institutions for which this group manages the institutional data (i.e. for which this group is the editors' group)
- a list of groups managed by this group
- a list of institutions to which the group belongs
- if relevant, a list of groups having "privileged access" to this group; this allows certain people to be able to see the membership of a group but not to change it.
In addition, there is a members' page for each group, visible by default only to members of the group and its managing group(s).
The managers of a group may choose whether its membership is visible to all users of Lookup, to members of the group and its managers only, or to managers only. In the last two cases, it is also possible for certain people (in so-called "privileged access" groups) to be able to see the membership of a group without being members or having editing privileges; this may be needed where an automated system is used to interrogate the LDAP directory. The visibility may also be set to World, though the Lookup interface does not release such data beyond the University.
If the membership of a group is visible beyond the managers and those with privileged access, then an individual user may choose to hide their membership from the wider audience. This overrides the choice made by the group's managers, who are not permitted to reverse the user's choice.
Setting up and managing groups
Initial editing and membership groups for institutions (and management groups for the editors, with initially identical membership) are set up by the Computing Service, in consultation with the institution. Apart from this, every group is created in the first place by an institution (that is, by the editing group for the institution), and belongs in the first place to that institution.
To create a group, go to the Groups tab on the institutional page, and select "Create new group". You will need to provide
- A title
- A description
- The visibility level (see above; defult is managers and privileged access only)
- The numeric identifier of the managing group(s) (default is the editing group of the creating institution)
- The numeric identifiers of any privileged access groups
- an email address (optional but recommended)
You can also ask the system to generate a password for the group (this is used only for LDAP access to the membership list by automated systems, where some form of authentication other than Raven is necessary).
Once you have clicked OK on the group creation page, the group will have its own numeric identifier and its own page in the directory. Members can now be added to the directory by going to the Members tab on the group's directory page. If you wish the group to be self-managing, you need to locate the numeric identifier (on the Details tab), and then edit the group to replace its managing group. You can only do this if you have previously made yourself a member of the group.
To change properties of a group other than its numeric identifier (which cannot be changed) and its membership, use the edit button on the group's main directory page.
You can change the management group of a group you manage, but only to another group of which you are yourself a member. If you delete yourself from a managing group that manages itself, you will be unable to put yourself back.