 |
Intro
Any application can make anonymous binds to the Directory; access would be the same as any other anonymous access as defined
here.
Applications wishing greater access must request credentials (authDN's), approved by unit head and campus data stewards, granting access to specific user populations and attributes. By default, applications can retrieve 1000 entries per search but that limit can be raised on a per-authDN basis.
Access for authdn's is specified my membership in groups which are defined along
two orthogonal axes:
- groups that define which people one has access to
- groups that define which attributes one has access to
The base level access (membership in no groups) is the same as for an authenticated non-UMCP person:
People Groups
| Group Name | Directory Rule | Description |
|---|
| all-people |
objectClass=umPerson |
any person included in the PHR employee, PHR affiliate, or SIS feeds |
| active-people |
umInstitutionActive=* |
all people with non-terminated appointments (any institution), students, affiliates |
| UMCP-all |
umInstitutionActive=UMCP |
all people with non-termiated appointments at UMCP, students, affiliates |
| UMCP-employee |
umInstitutionActive=UMCP and
umEmployee=TRUE |
all people with active UMCP appointments |
| UMCP-faculty |
umInstitutionActive=UMCP and
umFaculty=TRUE |
all people with active UMCP appointments where FAC_STAFF_CD=F |
| UMCP-emeritus |
umInstitutionActive=UMCP and
umEmritus=TRUE |
all people with active UMCP appointments where FAC_STAFF_CD=E,I |
| UMCP-staff |
umInstitutionActive=UMCP and
umStaff=TRUE |
all people with active UMCP appointments where FAC_STAFF_CD=S |
| UMCP-ga |
umInstitutionActive=UMCP and
umGraduateAssistant=TRUE |
all people with active UMCP appointments where CAT_STAT_CD=4,5 |
| UMCP-hse |
umInstitutionActive=UMCP and
umHourlyStudentEmployee=TRUE |
all people with active UMCP appointments where FAC_STAFF_CD=X |
| UMCP-affiliate |
umAffiliate=TRUE |
presence in the PHR affiliate feed |
| UMCP-student |
umStudent=TRUE and
umBuckleyFlag=FALSE |
presence in the SIS feed and the SIS Privacy_Code<2 |
| UMCP-buckley |
umStudent=TRUE |
presence in the SIS feed |
| UMBI-all |
umInstitutionActive=UMBI |
all people with non-terminated appointments at UMBI |
| UMCES-all |
umInstitutionActive=UMCES |
all people with non-terminated appointments at UMCES |
| UMES-all |
umInstitutionActive=UMES |
all people with non-terminated appointments at UMES |
| USMO-all |
umInstitutionActive=USMO |
all people with non-terminated appointments at USMO |
Attribute Groups
For all of the following attribute groups you must first have access to the user's Directory object
as a result of access to one of the people groups listed above.
"normal" attributes
These attributes are already defined as public access so every authDN automatically has access
to them.
cn
departmentNumber
eduPersonAffiliation
eduPersonNickname
eduPersonOrgDN
eduPersonOrgUnitDN
eduPersonPrimaryAffiliation
eduPersonPrincipalName
eduPersonEntitlement
eduPersonPrimaryOrgUnitDN
eduPersonScopedAffiliation
givenName
initials
labeledURI
middleName
o
ou
sn
title
uid
umAffiliate
umAlumni
umAlternateMail
umCampusBuilding
umCampusBuildingCode
umCampusRoom
umCampusZipcode
|
umDepartment
umDisplayName
umDisplayNameLF
umDisplayTitle
umEmeritus
umEmeritusActive
umEmeritusInactive
umEmployee
umEmployeeCollegeCode
umEmployeeDivisionCode
umEmployeeTitleCode
umFaculty
umGraduateAssistant
umGenericUid
umHourlyStudentEmployee
umInitials
umInstitution
umInstitutionActive
umInstitutionCode
umMailAlias
umMiddleInitial
umNameComponent
umNamePrefix
umNameSuffix
umNickName
umNoPublishAddress
umNoPublishCell
|
umNoPublishFax
umNoPublishPager
umNoPublishPhone
umNoPublishUser
umOfficialTitle
umOptionalTitle
umPrimaryCampusBuilding
umPrimaryCampusBuildingCode
umPrimaryCampusRoom
umPrimaryCampusZipcode
umPrimaryDeptCode
umPrimaryDeptName
umPrimaryInstitution
umPrimaryInstitutionCode
umPrimaryTitle
umPrimaryUnitCode
umStaff
umStudent
umTermDate
umTermDateAffiliate
umTermDateEmployee
umTrainee
umTTYtelephoneNumber
umUnitCode
userCertificate |
|
"critical" attributes
All attributes not listed above are considered to be critical and applications must be granted access to them. Most
of these attribute have been collected into to sub-groups of related attributes for purposes of managing access.
There are a few attributes that are not part of any group because:
- they are application specific (umBSOSLabBalance, umLibraryBarCode)
- they are especially sensitive with respect to identity theft (umId, umGender, umDateOfBirth)
They will be handled as one-offs.
Note that for the attributes in the address, phone, and email groups, access may
already be granted via the default rules
for authenticated access (e.g. telephoneNumber is treated asa public attribute for employees).
| Group Name | Attributes |
|---|
| U_ID |
employeeNumber |
| password |
userPassword |
| campus-contact |
postalAddress
telephoneNumber
fax
mobile
pager |
| personal-contact |
homePostalAddress
umLocalAddress
umPermanentAddress
umPermanentCountry
homePhone
umLocalPhone
umPermanentPhone |
| email |
mail
umMailFwd
umMailAlias |
| employment |
umAppointment
umCatStatus
umCatStatusCode
umDistrList
umEEO
umEEOCode
umRegInstructorOf |
| affiliate |
umAffiliateType
umAffiliateTypeCode |
| student |
umBuckeleyFlag
umClassStanding
umCollege
umCollegeCode
umMajor
umMajorCode
umMinor
umMinorCode
umPrimaryCollege
umPrimaryCollegeCode
umPrimaryMajor
umPrimaryMajorCode
umRegStatus
umStudentStatus |
| courses |
umRegCourse
umRegCourseCur
umRegCourseList
umRegCourseCredits
umRegCourseGradeOpt |
| services |
umGroup
umServices
umServiceStatus |
|
