Groupstore group names bear some resemblance to the paths used when saving files. In Groupstore, group path names are built up one folder at a time, with colons separating each folder name in the path. For example, the name "etc:uat-users" would refer to the group "uat-users" in top-level folder "etc". Every group and folder has both a short name and a longer name, which may be identical. For example, the group of staff in IT Services has the short name "org:oxuni:centadm:itserv:staff" and the long name "org:University of Oxford:University Administration and Services:IT Services:IT Services, Staff".
The Groupstore group hierarchy is split into the following top-level branches:
- A course group tree (called "course"). This contains course groups organised by SITS programme code and then by route code. The short forms of the folder names use the SITS codes directly. For example, the folder "course:programme:MPhys Physics:route:MPhys Physics" has the short form "course:programme:UP_PS1:route:UP_PS1".
- An organisational group tree (called "org"). This contains college and department groups loosely based on the organisational structure in Oak LDAP.
- A tree full of internal Groupstore groups (called "etc"). These can be ignored for the purposes of User Acceptance Testing.
- University-wide application-specific group structures (called "app"). These are currently unused, and can also be ignored for the purposes of User Acceptance Testing.
By default, the existence of a group can be seen by everyone with access to Groupstore. This can be prevented by removing the VIEW permission from the "EveryEntity" object. However, the members of a group can only be seen by users or groups of users with the READ permission granted. If a group is added to another group, the user doing the adding must have READ permissions on both groups. This prevents users from discovering the members of a group without holding the relevant permissions.
In both the "course" and "org" folders, higher-level groups are used to aggregate the groups at deeper levels of the tree. For example, the group org:college:roles:itss contains all college ITSS, and course:year-of-study:1 contains all first-year students. In general, these higher level groups are populated based on the central "systems of record": SITS, HRIS, the University Card system and the Registration database and deeper groups offer more control to the local college or department administrators.
In the organisational tree, each unit has two sets of admin groups associated with it: a group "admin-r" for granting read-only access to groups, and a full admin group "admin-rw" for creating groups or adding members. By default, the "admin-r" group contains all unit ITSS and the "admin-rw" group consists of the unit's primary ITSS. However, full admins can add or remove members as they see fit. In addition, full admins may create any group they like within their unit's "local" or "roles:local" folders.