1. Groupstore feature description

Early access documentation for Groupstore Phase I User Acceptance Testing (UAT). Please send comments to

1.1 Definition

Groupstore is an institutional repository of groups of people. It contains automatically populated groups defined by the academic course and organisational structure of the University and custom groups defined and populated locally by units. These groups can be used for a variety of purposes, including fine-grained access control to physical and digital resources.

2. Context

Groupstore extends the suite of Identity and Access Management (IAM) features offered by IT Services. Groupstore complements the Core User Directory (CUD) Service by allowing people to be grouped, either by attributes or in a more ad-hoc fashion.

3. Users

3.1 Data consumers

During UAT, a Groupstore UAT system will be available to volunteers on the User Acceptance programme.  All users will need to sign and return a copy of the Groupstore Release Policy and Terms of Acceptable Use before using the Groupstore service.  This may be done either by internal post or by emailing a scanned copy to

4. Groupstore group structure

Groupstore group names bear some resemblance to the paths used when saving files.  In Groupstore, group path names are built up one folder at a time, with colons separating each folder name in the path.  For example, the name "etc:uat-users" would refer to the group "uat-users" in top-level folder "etc".  Every group and folder has both a short name and a longer name, which may be identical.  For example, the group of staff in IT Services has the short name "org:oxuni:centadm:itserv:staff" and the long name "org:University of Oxford:University Administration and Services:IT Services:IT Services, Staff".

The Groupstore group hierarchy is split into the following top-level branches:

  • A course group tree (called "course").  This contains course groups organised by SITS programme code and then by route code.  The short forms of the folder names use the SITS codes directly.  For example, the folder "course:programme:MPhys Physics:route:MPhys Physics" has the short form "course:programme:UP_PS1:route:UP_PS1".
  • An organisational group tree (called "org").  This contains college and department groups loosely based on the organisational structure in Oak LDAP.
  • A tree full of internal Groupstore groups (called "etc").  These can be ignored for the purposes of User Acceptance Testing.
  • University-wide application-specific group structures (called "app").  These are currently unused, and can also be ignored for the purposes of User Acceptance Testing.

In both the "course" and "org" folders, higher-level groups are used to aggregate the groups at deeper levels of the tree.  For example, the group org:college:roles:itss contains all college ITSS, and course:year-of-study:1 contains all first-year students.  In general, these higher level groups are populated based on the central "systems of record": SITS, HRIS, the University Card system and the Registration database and deeper groups offer more control to the local college or department administrators.

In the organisational tree, each unit has two sets of admin groups associated with it: a group "admin-r" for granting read-only access to groups, and a full admin group "admin-rw" for creating groups or adding members.  By default, the "admin-r" group contains all unit ITSS and the "admin-rw" group consists of the unit's primary ITSS.  However, full admins can add or remove members as they see fit.  In addition, full admins may create any group they like within their unit's "local" or "roles:local" folders.

5. Interfaces

5.1 Groupstore Full UI

Typical use cases: ad-hoc lookup of group membership; management of custom unit groups

The Groupstore full user interface is a web application which allows registered users to perform the following:

  • Inspect Group membership (subject to access rights)
  • Create ad hoc groups for your units (subject to access rights)

All Groupstore users are encouraged to use the Groupstore UI to familiarise themselves with Groupstore.

The web user interface for UAT is available at  The Groupstore home page will present you with a customisable summary of groups that you manage or are a member of. From there you can use the search field at the top right to find a group or use the folder browser on the left hand side to browse the complete Groupstore hierarchy.

You should be able to see the existence of most groups, but will be unable to view the members of a college or department group unless you are a member of the appropriate admin group.  As mentioned previously, "full" (read/write) admins for a unit can create new groups or folders within the "local" folder for their unit.  The organisational groups are populated based on CUD affiliations derived from the systems of record.  Since these may not fully represent reality, full admins may add members to the relevant "include" and "exclude" groups to modify this list.


Written by IT Services. Latest revision 30 June 2016