Directory Services: Application Access Model

Intro

Any application can make anonymous binds to the Directory; access would be the same as any other anonymous access as defined here.

Applications wishing greater access must request credentials (authDN's), approved by unit head and campus data stewards, granting access to specific user populations and attributes. By default, applications can retrieve 1000 entries per search but that limit can be raised on a per-authDN basis.

Access for authdn's is specified my membership in groups which are defined along two orthogonal axes:

  • groups that define which people one has access to
  • groups that define which attributes one has access to
The base level access (membership in no groups) is the same as for an authenticated non-UMCP person:

People Groups

Group NameDirectory RuleDescription
all-people objectClass=umPerson any person included in the PHR employee, PHR affiliate, or SIS feeds
active-people umInstitutionActive=* all people with non-terminated appointments (any institution), students, affiliates
UMCP-all umInstitutionActive=UMCP all people with non-termiated appointments at UMCP, students, affiliates
UMCP-employee umInstitutionActive=UMCP and
umEmployee=TRUE
all people with active UMCP appointments
UMCP-faculty umInstitutionActive=UMCP and
umFaculty=TRUE
all people with active UMCP appointments where FAC_STAFF_CD=F
UMCP-emeritus umInstitutionActive=UMCP and
umEmritus=TRUE
all people with active UMCP appointments where FAC_STAFF_CD=E,I
UMCP-staff umInstitutionActive=UMCP and
umStaff=TRUE
all people with active UMCP appointments where FAC_STAFF_CD=S
UMCP-ga umInstitutionActive=UMCP and
umGraduateAssistant=TRUE
all people with active UMCP appointments where CAT_STAT_CD=4,5
UMCP-hse umInstitutionActive=UMCP and
umHourlyStudentEmployee=TRUE
all people with active UMCP appointments where FAC_STAFF_CD=X
UMCP-affiliate umAffiliate=TRUE presence in the PHR affiliate feed
UMCP-student umStudent=TRUE and
umBuckleyFlag=FALSE
presence in the SIS feed and the SIS Privacy_Code<2
UMCP-buckley umStudent=TRUE presence in the SIS feed
UMBI-all umInstitutionActive=UMBI all people with non-terminated appointments at UMBI
UMCES-all umInstitutionActive=UMCES all people with non-terminated appointments at UMCES
UMES-all umInstitutionActive=UMES all people with non-terminated appointments at UMES
USMO-all umInstitutionActive=USMO all people with non-terminated appointments at USMO

Attribute Groups

For all of the following attribute groups you must first have access to the user's Directory object as a result of access to one of the people groups listed above.

"normal" attributes

These attributes are already defined as public access so every authDN automatically has access to them.

cn
departmentNumber
eduPersonAffiliation
eduPersonNickname
eduPersonOrgDN
eduPersonOrgUnitDN
eduPersonPrimaryAffiliation
eduPersonPrincipalName
eduPersonEntitlement
eduPersonPrimaryOrgUnitDN
eduPersonScopedAffiliation
givenName
initials
labeledURI
middleName
o
ou
sn
title
uid
umAffiliate
umAlumni
umAlternateMail
umCampusBuilding
umCampusBuildingCode
umCampusRoom
umCampusZipcode
umDepartment
umDisplayName
umDisplayNameLF
umDisplayTitle
umEmeritus
umEmeritusActive
umEmeritusInactive
umEmployee
umEmployeeCollegeCode
umEmployeeDivisionCode
umEmployeeTitleCode
umFaculty
umGraduateAssistant
umGenericUid
umHourlyStudentEmployee
umInitials
umInstitution
umInstitutionActive
umInstitutionCode
umMailAlias
umMiddleInitial
umNameComponent
umNamePrefix
umNameSuffix
umNickName
umNoPublishAddress
umNoPublishCell
umNoPublishFax
umNoPublishPager
umNoPublishPhone
umNoPublishUser
umOfficialTitle
umOptionalTitle
umPrimaryCampusBuilding
umPrimaryCampusBuildingCode
umPrimaryCampusRoom
umPrimaryCampusZipcode
umPrimaryDeptCode
umPrimaryDeptName
umPrimaryInstitution
umPrimaryInstitutionCode
umPrimaryTitle
umPrimaryUnitCode
umStaff
umStudent
umTermDate
umTermDateAffiliate
umTermDateEmployee
umTrainee
umTTYtelephoneNumber
umUnitCode
userCertificate

 

"critical" attributes

All attributes not listed above are considered to be critical and applications must be granted access to them. Most of these attribute have been collected into to sub-groups of related attributes for purposes of managing access. There are a few attributes that are not part of any group because:

  1. they are application specific (umBSOSLabBalance, umLibraryBarCode)
  2. they are especially sensitive with respect to identity theft (umId, umGender, umDateOfBirth)
They will be handled as one-offs.

Note that for the attributes in the address, phone, and email groups, access may already be granted via the default rules for authenticated access (e.g. telephoneNumber is treated asa public attribute for employees).

Group NameAttributes
U_ID employeeNumber
password userPassword
campus-contact postalAddress
telephoneNumber
fax
mobile
pager
personal-contact homePostalAddress
umLocalAddress
umPermanentAddress
umPermanentCountry
homePhone
umLocalPhone
umPermanentPhone
email mail
umMailFwd
umMailAlias
employment umAppointment
umCatStatus
umCatStatusCode
umDistrList
umEEO
umEEOCode
umRegInstructorOf
affiliate umAffiliateType
umAffiliateTypeCode
student umBuckeleyFlag
umClassStanding
umCollege
umCollegeCode
umMajor
umMajorCode
umMinor
umMinorCode
umPrimaryCollege
umPrimaryCollegeCode
umPrimaryMajor
umPrimaryMajorCode
umRegStatus
umStudentStatus
courses umRegCourse
umRegCourseCur
umRegCourseList
umRegCourseCredits
umRegCourseGradeOpt
services umGroup
umServices
umServiceStatus

 

Search Our Site
How are we doing?
Rate OIT Services
This page is maintained by the Office of Information Technology
Last modified: Wednesday, March 16, 2011
© 2008 University of Maryland