CalGroups Recipe for Access Control

How do I use CalGroups to provision different levels of access to my application?

Services / Tools You Provide

  • Access request and approval form and workflow


Whichever way you handle access requests and approvals (manually or programmatically), you can use CalGroups to centrally store your approved requesters into role groups so that this information may be consumed by your application for access control purposes.  In addition, it allows you to automatically de-provision users from your role groups when they leave their employment.


Creating ad hoc groups and manually adding membership


Automating group population and user deprovisioning

  • Request an applications folder.  You will be creating your groups within your application folder.
  • Create a group for each role that you have in your application. These role groups will not initially have any members. These will be the “first factor” groups that you will use in the access groups (see #3 below)  from which your application will derive membership information.
  • For automated access-deprovisioning, create an access group for each “first factor” group you created in #2 above.  Each access group you create is a composite group which will be the intersection of:
    1. First Factor Group: your role group
    2. Second Factor Group: an official group (ex. All Staff or All Employees)

       "Composite" is the intersection between venn diagram of "your role group" and "official group"             

The intersection means that a person has to be a member of both groups.  Since official groups are programmatically derived and updated, any changes in the official groups you use will be reflected in your access group automatically.

  • Update your groups manually  or using CalGroups APIs
  • Retrieve your role group membership information via CalGroups API or LDAP and soon, Active Directory.