Overview:
As departments expand their use of Special Purpose Accounts, SPAs, we need to re-assess how and where they are used along with a name change to better handle the dual aspects of SPAs.
Original concept:
There are two aspects to a SPA, the account itself which resides in LDAP, and the user delegation group which resides in CalGroups. Often, someone using a SPA may think of them as being the same thing though. In LDAP, the SPA is like a regular person account with a couple of extra attributes, one of which is the name of the user delegation group. When someone logs into an application via our campus SSO, they are allowed to login as a SPA if they are part of the SPA’s user delegation group.
Within CalGroups itself, the user delegation group is a regular group that can be used for authorization or other purposes. Groups can be nested in each other for indirect membership.
There are several SPA related names that appear in different contexts. For example:
In CalGroups:
the user delegation group: edu:berkeley:apps:calnet-spa:group-spa-test-name
In LDAP:
the account has a:
Givenname: Test-name
Sn (last name): SP_Account
Display Name: Test-name SP_Account
Cn: SP_Account, Test-name
Calnet ID: spa-test-name
isMemberOf:
cn=edu:berkeley:app:calnet-spa:spa-test-name,ou=campus groups,dc=berkeley,dc=edu
In bConnected:
Account: test-name@berkeley.edu
Email: test-name@berkeley.edu
Authenticating via CAS: spa-test-name+CalNetID
In AD: the user delegation group (under ou=ManagedGroups,ou=CalGroups):
CN=group-spa-test-name,OU=calnet-spa,OU=app,OU=berkeley,OU=edu
Current needs:
As campus departments are making expanded use of SPAs, we need to allow both the Special Purpose Account and the SPA user delegation group to be used in groups.
Proposed Solution: Change SPA Group Name -
To allow clarity for the two aspects of a SPA (account and user delegation group), we will change the group names slightly.
The current idea for group name modification is to prefix it with 'group'. That way when a user is searching for a SPA, user group, or account, the user group will be obvious.
An example:
SPA name: spa-test-name
SPA as account in google: test-name@berkeley.edu
SPA user delegation group name: spa-test-name -> group-spa-test-name
After the change:
The group you would use to allow users to use spa-test-name (group-spa-test-name):
If someone is searching for spa-test-name within CalGroups, they will see two items in the list:
- SP_Account, Test-name
- edu:Berkeley:Applications:CalNet SPA:group-spa-test-name
Choosing the first option “SP_Account, Test-name” will add the account to the group.
Choosing the second option "edu:Berkeley:Applications:CalNet SPA:group-spa-test-name" will add the user delegation group which will in turn will add the members of the user delegation group. In this case, Jeff McCullough and group-spa-testname.