...
- Formal Hierarchies - The simplest solution to implement technically is to take a snapshot view of the organizational hierarchy at a point in time, import it into an access control list for the resource. Typically, this solution over time leads to increasing duplication of effort as changes in membership have to be somehow reflected (by hand) in the electronic organizational hierarchy and the access control list.
- Blended Hierarchies - Group management software such as Internet2/MACE Grouper Groups Management Toolkit provides a more scalable and robust solution. A set of structured groups, such as departments, colleges, community, etc. is constructed manually. Provisioning software then associates individuals' memberships in their respective departmental groups using Human Resources and ERP-derived information. Any changes to the official rosters are automatically propagated to the group and administrators/identified registrars only update the additional cases. Each department typically has three groups: a provisioned one, a manually maintained one (for the adjustments), and the "effective" one (which is the union of the first two).
Courses use a similar structure. The campus Student Information System provides information about the official instructor(s) and students, and sometimes teaching assistants (TA). This information can be used to provision the appropriate groups. However, identities for guest lecturers, some TA's, students auditing the course, and content managers (often students) supporting the instructor's use of technology are usually manually maintained. The "Official Source with White Include and Black Exclude Lists" approach is then used to create an effective group for each category.
...