University of Glasgow
Right People, Right Stuff, Right Pain?
Setting the Scene
A brief introduction by James Currall (Glasgow) and two ten minute
presentations from Colin Farrow (Glasgow) and John Byrne (York) outlining:-
that Glasgow and York face in allowing the right people to see the
Discussion of the Issues and input from Delegates Perspective
A discussion was in two groups:
- non-techies - facilitated by James Currall
- techies - facilitated by John Byrne and Colin Farrow
General Discussion and 'What can I Do?'
James Currall lead this discussion, drawing on the discussion in
groups. The groups’ discussion fell into two parts (plus another session
Getting the Right People information
There was general agreement that there is a need for good quality,
people information covering all those who need access to information in an
- Good people data is the result of good institutional processes. If the
processes are not in place and working then getting a comprehensive directory of
people is more of less impossible.
- Getting good people data requires investment in good processes, which
initially cost money, but which pay for themselves fairly quickly.
- People who are neither paid staff nor enrolled students (often referred to
as ‘associates’) are a difficult problem, because it is difficult to
identify who is responsible for them and there are rarely good processes in
place to handle them
- Getting rid of people who should no longer be included needs to have
suitable process to ensure ‘Single Sign Off’ (one action removes all
entitlements). It is difficult because:-
- students often remain around writing up or helping out, etc. with an
- processes are generally less well developed for this job than for adding
new people (recruitment, matriculation, etc.)
- someone has to remember to action the process,
- people who have left but still have access don’t complain (unlike
those that have joined and don’t have access),
For the most part, although having Right People information is
very important to those who have to manage access to information and systems,
they are not in the position to solve it. The people who are (registry, Human
Resources, etc.) will only own the problem if they see value (to them) in
Groups (and how to build them)
Groups are used to model roles within the organisation and were
generally agreed to be a good way to provide (moderately) fine-grained access
control to information.
These are three types of group:-
- Robot Groups
- formed automatically from rules based on
institutional process and systems (e.g. Departmental membership, staff grade,
- Ad Hoc Groups (official)
- formed by a
‘responsible person’ based on official designation (e.g. membership
of university committees, etc.)
- Ad Hoc Groups
- formed by an individual who needs to share information
with a number of others who do not conform to an official categorisation (e.g.
ad hoc working group, special interest group, etc.)
Three issues were seen as being important in maintenance of
- Moderation of group membership - do the people who run the servers have a
- Notification of group members of their membership - should group owners be
able to add people without their say so?
- Who should be able to see who is in what group (security/DPA issues)?
Groups can be used to control access to information but can also
provide e-mail lists and other functions if managed in a directory service which
can look up the other information as required.
Both Glasgow and
York have implemented groups to model roles and have done so within an LDAP
Groups provided in this way seem to have very great potential in
inter-university collaborations, where confirmation of group membership is
passed as a credential to the other institution (but not the details of who the
person is). In this context, Ulster has been collaborating with the University
of Athens and York is collaborating with Hull (see also the Shibboleth work
referenced in the briefing paper)
Technical matters concerning the design of an LDAP directory for
access control were deferred until an additional ‘Birds of a
Feather’ session held later.