Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
Georgia Tech tracks people and accounts separately. A single person might have multiple accounts while they transition from one account to another, or in order to separate resource ownerships or to separate administrative access from normal, non-administrative access. We also keep track of application/service accounts separately, but those don't represent the person and are separate. We have two subject sources tied into grouper.
Generally, the following restrictions work best:
- Business groups (Engineering-Faculty) are best limited to Person subjects
- Administrative groups (Root Access) are best limited to Account subjects
- Many service groups (BiologyIntranet-Users) are best when they support Person subjects
- Services tied to usernames are best when they integrate with Account subjects
This issue is requesting support for attributes that document restrictions a group should have on its subjects. Nested groups that might contain both People and Accounts would only add the appropriate subjects to the destination group (this can be done with intersection math). Manually adding the wrong kind of subjects would either error or translate from the selected subject into the correct subject.
We have hooks to share that implement these, however the conversion is pretty specific to Georgia Tech.