Directory Services: Application Access Model
Any application can make anonymous binds to the Directory; access would be the same as any other anonymous access as defined here.
Applications wishing greater access must request credentials (authDN's), approved by unit head and campus data stewards, granting access to specific user populations and attributes. By default, applications can retrieve 1000 entries per search but that limit can be raised on a per-authDN basis.
Access for authdn's is specified my membership in groups which are defined alongtwo orthogonal axes:
- groups that define which people one has access to
- groups that define which attributes one has access to
The base level access (membership in no groups) is the same as for an authenticated non-UMCP person:
- UMCP & USMO employees and affiliates (but not hourly student employees)
- "normal" attributes
- "private" atttribute as allowed by the privacy flags
|Group Name||Directory Rule||Description|
|all-people||objectClass=umPerson||any person included in the PHR employee, PHR affiliate, or SIS feeds|
|active-people||umInstitutionActive=*||all people with non-terminated appointments (any institution), students, affiliates|
|UMCP-all||umInstitutionActive=UMCP||all people with non-termiated appointments at UMCP, students, affiliates|
|all people with active UMCP appointments|
|all people with active UMCP appointments where FAC_STAFF_CD=F|
|all people with active UMCP appointments where FAC_STAFF_CD=E,I|
|all people with active UMCP appointments where FAC_STAFF_CD=S|
|all people with active UMCP appointments where CAT_STAT_CD=4,5|
|all people with active UMCP appointments where FAC_STAFF_CD=X|
|UMCP-affiliate||umAffiliate=TRUE||presence in the PHR affiliate feed|
|presence in the SIS feed and the SIS Privacy_Code<2|
|UMCP-buckley||umStudent=TRUE||presence in the SIS feed|
|UMBI-all||umInstitutionActive=UMBI||all people with non-terminated appointments at UMBI|
|UMCES-all||umInstitutionActive=UMCES||all people with non-terminated appointments at UMCES|
|UMES-all||umInstitutionActive=UMES||all people with non-terminated appointments at UMES|
|USMO-all||umInstitutionActive=USMO||all people with non-terminated appointments at USMO|
For all of the following attribute groups you must first have access to the user's Directory objectas a result of access to one of the people groups listed above.
These attributes are already defined as public access so every authDN automatically has accessto them.
All attributes not listed above are considered to be critical and applications must be granted access to them. Mostof these attribute have been collected into to sub-groups of related attributes for purposes of managing access.There are a few attributes that are not part of any group because:
- they are application specific (umBSOSLabBalance, umLibraryBarCode)
- they are especially sensitive with respect to identity theft (umId, umGender, umDateOfBirth)
They will be handled as one-offs.
Note that for the attributes in the address, phone, and email groups, access mayalready be granted via the default rules for authenticated access (e.g. telephoneNumber is treated asa public attribute for employees).