Problem

Organizational hierarchy is a common source of both authority and access privilege, and is frequently the basis for determining membership in groups and/or inclusion in distribution lists. Workgroups combine to form units which form divisions; departments combine to form schools and colleges. The authority and access afforded individuals is often scoped based on organizational hierarchy (eg., a department head may have privileges scoped to cover all faculty in the department, while dean may have the same privileges, but scoped to cover all faculty within the departments comprised by an entire school). In the electronic world, systems that manage or use access privileges need to reflect real-world organizational hierarchies.

Blended Hierarchies

A variation on this basic problem often occurs in Higher Ed environments -- the hierarchy of the organization does not fully match the access control requirements of a system or a set of data; minor adjustments of the group membership are required. The official hierarchy is often a representation derived from HR/finance systems. This hierarchy is more representative of financial and line management concerns than it is of how other functions such as research and teaching is organized and structured.  While this official hierarchy is often the best available representation, it often requires some adjusting to make it useful for representing the research or teaching structure. A blended hierarchy builds on an official hierarchy with some adjustments made so that it represents the actual access control needs of the application.

Blended requirements often arise in administrative applications when rosters are derived from payroll systems. Individuals may have authority or membership in campus departments, centers, and institutes that are not their primary funding source. Blended requirements arise most often, however, in the instructional and research space, where the central business systems have no interest in tracking the detailed role information instructors want to apply to systems supporting instruction.

Solution

  • Formal Hierarchies - The simplest solution to implement technically is to take a snapshot view of the organizational hierarchy at a point in time, import it into an access control list for the resource. Typically, this solution over time leads to increasing duplication of effort as changes in membership have to be somehow reflected (by hand) in the electronic organizational hierarchy and the access control list.
  • Blended Hierarchies - Group management software such as Internet2/MACE Grouper Groups Management Toolkit  provides a more scalable and robust solution. A set of structured groups, such as departments, colleges, community, etc. is constructed manually. Provisioning software then associates individuals' memberships in their respective departmental groups using Human Resources and ERP-derived information. Any changes to the official rosters are automatically propagated to the group and administrators/identified registrars only update the additional cases. Each department typically has three groups: a provisioned one, a manually maintained one (for the adjustments), and the "effective" one (which is the union of the first two).
    Courses use a similar structure. The campus Student Information System provides information about the official instructor(s) and students, and sometimes teaching assistants (TA). This information can be used to provision the appropriate groups. However, identities for guest lecturers, some TA's, students auditing the course, and content managers (often students) supporting the instructor's use of technology are usually manually maintained. The "Official Source with Include and Exclude Lists" approach is then used to create an effective group for each category.

Examples

  • Professor Jones is a member of the Microbiology group, and Dean Johnson is a member of the Anatomy group. A supergroup is constructed for the Division of Basic Sciences by conjoining Microbiology Anatomy Cell Biology Pharmacology. Another is constructed for the School of Medicine by conjoining the Division of Basic Sciences with other Divisions (Neurology, Cardiology, Hematology, Oncology, etc.). Members of the Microbiology group are automatically members of the supergroups. The relevant groups and supergroups are projected into an LDAP directory as LDAP groups (possibly in a separate LDAP OU reserved for groups that reflect organizational hierarchy). The faculty management system and the budgeting system then consult the LDAP for group membership information when making access decisions - user roles ("Chair", "Dean", etc.) have their privileges scoped based on group memberships - department chairs are granted rights scoped to the members of their departmental groups, while divisional deans are granted rights scoped to their divisional supergroups.
  • In Newcastle student interview/contact rooms used by support staff  (careers, student welfare etc ) are owned by a particular service.  For instance careers owns and controls the rooms on their floor in the student services building. However other departments such as student welfare or accessibility support are able to book the rooms as they occasionally need to use the unique facilities offered by the room.   We are using the Grouper group management tool to nightly import the official hierarchy into it from our HR records system. We then setup a group which includes the careers group from the official hierarchy and  has other users that are added by hand.  This then feeds into the syllabus plus web based room booking system to authorize who can book which rooms.
  • Courses are often the responsibility of a organizational unit in the official hierarchy (e.g. biology is taught by the biology department staff) but then have adhoc input from people in other units, (e.g. the biology course may have lectures on statistics given by a mathematician, another example is that  non staff members such as postgrad students may act as tutors on courses) In order to grant access to course materials it is necessary to take the organizational group (e.g. biology) from the official hierarchy and add these additional adhoc members.

A research group is often largely based in an organisational unit as represented by the organizational hierarchy however it will often include additional members from other parts of the organization. For instance a research group studying biomaterails will draw it's membership from the biomaterials research group but may also include members from the chemistry or physics department.

Graphics (click on them to view full size)

  • No labels