Survey Strategy and Goals

The intent of this survey is to collect feedback from a variety of institutions and organizations within higher education about their current Directory Group usage in LDAP, their current and anticipated needs for Directory Groups, and what gap(s) they see between the tools they currently have at their disposal and what would meet their needs. Our aim is to then use the results of the survey process to inform our thinking about Directory Group tools and to measure existing tools with an eye toward making them as widely useful as possible.

Survey Frozen 12-January-2009

The survey below has been entered into SurveyMonkey for data collection, in its final form as of this date. Please direct questions or comments to Steve Olshansky <steveo AT internet2 DOT edu>

Please contribute!

Below are the beginnings of the survey, containing questions that have been thought of by members of the MACE-Dir Working Group. If you have any comments, suggestions, corrections, additional questions, etc. that you feel are appropriate, please feel free to edit this document directly. We only ask that you comment on any changes you make so that we can keep track of the rationale for changes as they are made.

Survey Draft

Directory groups can be used for provisioning and authorization.

For those using groups in LDAP:

  1. What directory product or product(s) are you using?
  2. If you are using more than one product, are you synchronizing them, and if so, how?
  3. Are the standard object classes sufficient for your needs?
  4. Are you using static groups, dynamic groups (groups who's membership changes based on data in the directory), or a mixture of both? Why?
  5. If you are using static groups, how do you go about generating them? Are they on an as-needed basis? Are they created by hand? Is there an automatic tool that creates the base structure for you?
  6. If you are using dynamic groups, how do you go about generating them? Are they created dynamically, or just populated dynamically? Are they created/populated from basic LDAP filters, or is more complex coding required?
  7. Do you use groups for authorization, base authorization on attributes, or release attributes to applications for the applications to determine if a user is authorized?
  8. If you use groups for roles, then how, if you do, do you address exceptions to the roles/group membership?
  9. How many groups do you have in LDAP?
  10. Do your group memberships include "external" people? ("external people" meaning people that do not exist in your local authentication management system.) If so, how do you link them to the group?
  11. Are your end users able to create groups directly or do they need to request to have one created by central IT staff?
  12. How do you handle removing deleted users from a group?
  13. How many members does your largest static group have? How is this large membership maintained?
  14. Do you have groups that mirror affiliations - such as an alum affiliation and an alum group?
  15. Do you maintain group memberships based on data provisioned from other systems of record (e.g. course groups or student major groups from your student information system, or employee groups from your HR/Payroll system)? If so, please describe.
  16. Do you support protected group memberships (where not everyone can view the membership)? If so, what are the security and/or compliance drivers for protecting them (e.g. FERPA)?
  17. How do you handle group naming policy? Do you allow special characters, alphanumeric characters only, spaces? How many characters do you allow the group name to be?
  18. Are users allowed to choose their own group names (via delegated naming authority), or are they assigned by a central authority (such as your help desk)?
  19. Are users able to manage and change their group membership on their own?
  20. Are people allowed to create groups that they are not members of?
  21. What are the top 3 tools you would like to see available for group management?
  22. What other issues do you currently have with group management?
  23. Do you encourage group reuse where applicable, for example - two groups have identical memberships based on similar or identical membership rules such that only one of the groups is actually necessary? If so, how do you detect the similarities?
  • No labels

7 Comments

  1. Ann West (internet2.edu)

    Should the survey include something about who sponsors/stewards/updates/creates the group memberships and begin looking at policy surrounding groups too? Or do we want to focus on the technical mechanics?

  2. bbellina@usc.edu

    There was a survey of some kind circulated in February 2006 about policies related to groups. Probably not the right questions for this survey, but I'll list some of them anyway:

    • Can groups be named anything a person wants
    • Should group names be allowed to contain spaces and characters other than alphanumerics? What if those characters prevent the use of the group in some environments (like on a Unix file system for instance)? there may also be length limitations in some directories, like limited to 32
    • How long should a group name be unavailable for reuse after a group is deleted?
    • Can a person remove him/herself from a group?
    • Should a person be allowed to create a group in which she/he is not also a member?
    • What granularity of access should be allowed for viewing membership lists?
    • Should users that leave the school be deleted automatically from the groups to which they belong?
    • Should there be a limit on the number of members a group can have?
    • Will groups expire after a period of inactivity?
    • If the group owner leaves the school or decides he/she does not want the group anymore, should we allow inheritance of the group by another group member? What if the owner does not want it to be inherited?

  3. Paul

    How many groups do you have in LDAP?

    Do your group memberships include "external" people? By "external people" I mean people that do not exist in your local authentication management system.

    Are your end users able to create groups directly? (As opposed to having them request a new group which is then created by central IT staff?)

  4. Joy Veronneau (cornell.edu)

    How many members does your largest static group have?

    Do you have groups that mirror affiliations - such as an alum affiliation and an alum group?

    Do you have protected groups (so that not everyone can see the membership)?

  5. Etan Weintraub (johnshopkins.edu)

    Comments from Tom:

    Q4. Is it understood what is meant by a dynamic group here, or should
    that be defined? Q6 seems to imply that there may be various definitions.

    Q7. What is meant by "collections attributes"?

    Q8. What underlying problem does this question address? How's an
    "exception to membership" for a role group different than that for a
    group, whatever its semantics are? And what "exceptions" are meant here?

    Should there be an open-ended question that invites respondents to tell
    you what their big issues are, just in case your Qs don't quite cover
    their problems? Or a Q that asks them to list up to 3 things, say, that
    they'd like to see exist that would make their directory-group
    management much better than it is currently.

    Thanks,
    Tom

  6. Etan Weintraub (johnshopkins.edu)

    I've rolled in as many of the questions and changes from comments that I could. I left some of what Brendan posted out as they are more policy related than information gathering. The one that I couldn't figure out how to address is Tom's comment on question 8:

    Q8. What underlying problem does this question address? How's an
    "exception to membership" for a role group different than that for a
    group, whatever its semantics are? And what "exceptions" are meant here?

    Anyone have a better idea on how to explain this?

  7. Todd Piket

    Perhaps a question about identical groupings?  For instance:

    Do you encourage group reuse where applicable, for example two groups have identical memberships based on similar or identical membership rules such that only one of the groups is actually necessary?  If so, how do you detect the similarities?