Campus Groups

The Campus Groups service allows authorized UCSC users (called "architects") to log in to Grouper to create and manage groups associated with their organization and the membership of those groups. These groups are used to grant permissions for pre-defined populations (e.g., active employees, incoming students) or individuals to access services.

This service uses the Grouper tool and is administered by the UCSC Identity Management team.  

Frequently Asked Questions

  • Architects can build and maintain their own folders and groups within Campus Groups, including giving other users access to manage these groups. To request Architect access, you must complete FERPA training, then open a ticket in Slug Hub. Please note that logging into Campus Groups requires using VPN (either Campus VPN or Data Center VPN).
  • Campus Groups allows a unit to have its own folder where an architect for the unit can manage sub-folders and groups. This folder and everything in it is the “architect area” for that unit.

  • Multiple access levels can be built into an architect area. Common structures include:

    • Architects can control all group memberships, security, and folder structure within the architect area.
    • Managers can control membership in Users groups.
    • Users control membership in specific groups that grant access to downstream systems.
    • Viewers can view group membership.
    Please note that logging into Campus Groups requires using VPN (either Campus VPN or Data Center VPN).
  • IdM uses information from campus systems (AIS, PPS and DivData) to maintain reference groups that can be used to derive membership in other groups. These include groups for students, faculty, and employees, each broken down by status (e.g., student-active, student-leave, student-incoming).

  • Groups can be composed of individually added people, or combinations of other groups, or both. “Group math” can allow complex combinations of other groups to be put into a group, e.g., everyone from group A plus everyone from group B, excluding anyone in group D.

    Examples:

    • Campus Directory editing access is granted to individuals who are manually added to a group.
    • Data Center VPN access is granted to manually added individuals who are also members of the employee-active reference group.
    • CruzAlert self-service access is granted to members of the reference groups affiliation-affiliate, affiliation-employee, affiliation-faculty, or student-active who are not in the sundry-functional reference group.

  • Any service that can read group membership through Campus LDAP or Shibboleth may use Campus Groups membership to control access. Currently Campus Groups are used to populate POSIX groups and to control access to Data Center VPN, page security in CruzID Manager, divisional computing resources, and more.