UW Groups

Last updated: December 16, 2023

What’s new?

  • Added information about data classification and membership viewer controls (learn more under managing memberships).
  • UW HR groups can be sourced from Workday, with group IDs and memberships based Supervisory Org and Academic Unit (learn more under institutional groups).

Introduction

What is a UW Group?

UW Groups are memberships of common identifiers for people, computers, and applications. Each UW Group consists of a membership list of identifiers (e.g. UW NetIDs), plus metadata about the group, such as name, description, contact, administrators, membership viewers, and authorized senders. Each UW Group can be referenced by a unique identifier called its UW Group ID.

Purpose

UW Groups support collaboration and communication by making it easier to reuse groups in tools and applications. Common uses of UW Groups include email lists, calendaring, scheduling, sharing resources, surveying, and voting.

Organizations, teams, and individuals can choose how they organize groups and where they use them. UW Groups can identify members of an organization or a part of one, members with a business or security role, or members with access to a resource.

Examples

  • Music Majors (uw_major_music)
  • UW Graduate Students (uw_affiliation_graduate)
  • FISH 478a Sustainable Fish Autumn 2020 (course_2020aut-fish478a)
  • EDW Authorized Payroll Coordinators (u_astra_urole_payrollcoordinator)
  • Microsoft Licensing Agreement Eligible Students (uw_affiliation_mla-eligible-students)
  • Academic Affiliation Group Read Access (u_groups_affiliation_student-read)
  • iSchool Service Eligible VoiceThread (uw_ischool_service_voicethread)
  • iSchool Employees IT (uw_ischool_employees_it)

Getting Started

UW Groups Service

The UW Groups service (groups.uw.edu) is the central location where UW Groups are created, managed, and integrated into applications. Some groups are managed by teams and individuals for ad hoc purposes such as projects. Other groups are managed by UW organizational and institutional processes like student enrollment. Authorized members of the UW community can use the service to manage groups under their authority and to delegate group administration to others as needed using flexible access controls for group administrators, membership managers, and subgroup creators. Group memberships can include people, applications, and computers, as well as other UW Groups.

Tip: Current faculty, staff, students, and retired faculty and staff can access groups.uw.edu. Just sign in with your UW NetID. Then you can view and manage groups based on access assigned to you.

Identify UW Groups

UW Group IDs

Each group has a unique identifier called its UW Group ID. The UW Groups service uses a structured namespace for UW Group IDs, which allows individuals, teams, and organizations to create and manage groups independent from each other.  UW Group IDs can be up to 128 characters in length and contain lower-case letters, digits, dashes, and underscores. Online tools and applications that integrate UW Groups also typically refer to them by their UW Group IDs. However, UW Groups enabled for emailing the members of the group may or may not have an email address that contains the UW Group ID.

Prefixes & namespace

All UW Group IDs begin with a short prefix such as “u”, “uw”, or “course”, followed by an underscore. This prefix places the group within the top-level namespace for UW Group IDs and implies high-level characteristics such ownership or naming authority. The components following the underscore establish more specific properties, such that many UW Group IDs contain a sequence of components, each separated by an underscore, which increases in specificity from left to right.

Find UW Groups

Browse & search

To find UW Groups, browse and search the UW Groups service (groups.uw.edu). If you don’t find a group that meets your needs, ask around. Your team or organization may already have created UW Groups that suit your needs. Or if you’re collaborating within or across UW organizations, contact the related IT support staff to find out if a group exists for your purpose.

Tip: Many UW organizations are just getting started with UW Groups. When contacting them, describe what group membership you’re looking for and what tools or applications you’re hoping to use with UW Groups (e.g. “I’m contacting you because I’m trying to identify and survey folks in your department via a Catalyst WebQ and UW Groups…”).

Choose a home group

Home groups

A “home group” is used as a starting point for creating other UW Groups. Therefore, a single home group such as “uw_law” or “u_astra” can support many purposes found in many kinds of organizations, including those that organize their groups into multi-level subgroup hierarchies (e.g “uw_law_students”, “uw_law_employees”, “uw_law_services”). Many UW organizations and some teams already have a home group you might be able to use.

Creation options

If you don’t have a home group that meets your needs, there are three options for creating them:

  • Organizational Home Group: “uw_” prefix + an organizational short name (e.g. “uw_law”), which can be requested by any UW organization by emailing help@uw.edu or created self-service by registered UW DNS subdomain contacts for the organizational short name matching their subdomain under washington.edu or uw.edu.
  • Shared UW NetID Home Group: “u_” prefix + a Shared UW NetID (e.g. “u_astra”), which can be created self-service by any current administrator of the Shared UW NetID.
  • Personal UW NetID Home Group: “u_” prefix + your Personal UW NetID (e.g. “u_sallysue”), which you can create self-service. We recommend creating this home group the first time you sign into the UW Groups service so it’s easy to create new sub-groups.

Tip: UW-IT recommends that home groups based on Personal UW NetIDs be used only for short-term team activities or personal purposes rather than critical long-term organizational purposes, since access to these groups may be lost if the group owner leaves the university.

Create a UW Group

Using a web browser

To create UW Groups using your web browser:

  1. StepsActions
  2. Log in to the UW Groups service (groups.uw.edu) using your Personal UW NetID. (You cannot log in using a Shared UW NetID.)
  3. Click Create a group. This will display a form for creating a new group.
  4. Enter a display name. Some applications use this short name instead of the UW Group ID when referring to the group.
  5. Enter a UW Group ID. Note the input field is already populated with the home group based on your personal UW NetID (e.g. “u_sallysue”). Enter an ID based on this home group, or replace with a different ID. See How to Choose a Home Group above.
    Tip: You must have permission to create the ID you enter. The ID must be a subgroup of a home group or other group for which you are an administrator or subgroup creator. Note: For groups that will be in Active Directory/Azure Active Directory, UW Group ID’s have a character limit of 64.
  6. Enter a description. A good description helps others understand how the group is managed and how it should be used.
  7. Enter a contact person. This helps people who might have questions about the group.
  8. Enter group members by UW NetID, UW Group ID, Federated ID, DNS name, or UWWI Computer name. See How to Manage Memberships.
  9. Enter other Administrators, Member managers, and Subgroup creators, as needed.
    Tip: If you’re creating a hierarchy of groups, all with the same requirements for administration, create a group that includes your administrators as members and then reference this group as the administrator of the other groups. This way you can add and remove administrators in one place.
  10. Click “Create group” to create the group. If you have permission to create the UW Group ID, the group will be created and displayed back to you. If you don’t have permission to create the UW Group ID, an error message will be displayed to say you’re not authorized.

Using an API

If you want to create and manage UW Groups using an API, refer to Groups Web Service REST API.

Manage memberships

Add and remove members

Although you can add the initial members to a group when it is created, the routine tasks of adding and removing members is performed on the membership tab. There you can add and remove individuals by their UW NetID or Federated ID. You can also manage memberships comprising other groups as members, as well as DNS names and UWWI Computer names.

Tip: The administrators, member managers, and subgroup creators for a group aren’t added automatically to the membership of a group. These roles only grant management permissions. They do not grant membership.

Add other groups as members

Adding other groups to the membership of your group is a useful feature that saves time and effort. You can add references to your own groups, as well as groups administered by others, including institutional groups. The only technical constraint on adding other groups as members is you must have permission to view the membership of the group that you want to reference as a member of your group.

View direct and effective members

The membership tab displays the current membership of a group. By default, it displays the direct members: all of the current members that were added directly to the membership of the group. If the direct membership includes other groups as members, view the effective members for an expanded view of all direct members plus the members of the other groups.

The membership tab includes a few details about each direct or effective member. These details assist in reviewing the membership. On some browsers, positioning the cursor over an effective member will display pop-up information about its derivation.

Tip: The history tab can be used to review the details about how and when direct members were added and removed. You can even filter and review the history for specific members.

Define a membership dependency

Each group has an optional attribute called a “membership dependency group” that allows group administrators to control the membership of one group so that it depends on the membership of another group. This feature enables you to define technical controls on the direct membership, and rely on the Groups service to enforce the controls both when new members are added and on an automated basis (once every 4 hours) to remove members who are no longer members of the membership dependency group.

For example, if you add the uw_employee group as a membership dependency group, you won’t be able to add members to your group who aren’t members of the uw_employee group; you will only be able to add members to your group that are members of the uw_employee group. Furthermore, any member of your group who is removed from the uw_employee group will be removed automatically from the membership of your group as well.

Note: this feature only removes a maximum of 5 members each time it processes your group. If there are a lot of members to remove, it will take awhile.

Note:  This feature only applies the membership dependency to direct members; it doesn’t apply the dependency to the effective membership of your group, nor to any subgroups. Therefore, if you want to enforce the same membership dependency on the memberships of several groups, add the same membership dependency group to each one.

Tip: This feature applies to all members of the group, including UW NetIDs, groups (group-ids) as members, and other types of members. All direct members of the group must be members of the defined membership dependency group.

Watch a group

If you want to be notified when changes are made to the membership of a group, add it to your list of watched groups. Use the Watches menu to add and remove groups you’re watching.

Add member managers

Add member managers to allow others to update the membership of a group. Adding a member manager gives them permission to update the membership of a group, without being able to remove the group or perform other updates. They can only update the membership.

Allow members to join and leave

When you create or edit a group, you can control whether or not members are permitted to join and leave the membership on their own. You can allow anyone to join or leave, or define specific groups that may do so. Sometimes this feature is described as allowing members to opt-in or opt-out of the membership.

Note:  people who are members of the uw_member group may access the UW Groups Service user interface.   This includes current faculty, staff, students, retired faculty and staff, as well as applications and other authorized exceptions.  People who are not in this group will not be able to use the join/leave feature.  Consider an alternate method for such people to request to be added to your group.

Data classification

Each group has an optional classification attribute that group administrators can use to assign the level of privacy and security that should be applied to the group and its membership. The options are derived from APS 2.2 and APS 2.4, and include Public, Restricted, and Confidential.

None (Default)
By default, the classification attribute is empty. Leave it empty if the group has not been through a data classification process.
Public
Appropriate for groups approved for public use. Currently, the Public classification has no effect on default access controls. It is available for completeness and consistency with policy. In the future it may be used to override default access controls, enabling public access policies.
Restricted
Appropriate for groups that have been through a data classification process resulting in Restricted classification. This classification is typically applied to groups viewed only on a need-to-know basis, or that warrant more care to safeguard their integrity or availability. The Restricted classification has no effect on default access controls. If elevated restrictions are needed, admins should apply them using the membership viewer control (described below).
Confidential
Appropriate for groups that have been through a data classification process resulting in Confidential classification. This classification is typically applied to more sensitive groups that are subject to regulations or could seriously and adversely impact the UW or the interests of related people or organizations. The Confidential classification is typically used with a more restrictive access policy applied using the membership viewer control (described below). Additionally, groups classified as “Confidential” require two-factor authentication to view their memberships through the UW Groups service (groups.uw.edu) browser interface.

Membership viewer control

The membership viewer control is a technical access control that restricts access to the membership of a group. Admins can use it to enforce an access policy based on data classification and evaluation of business value and risk the the UW and individuals.

Warning: applying a membership viewer control limits more than who can view your group membership in the UW Groups service. It also limits integrations with “downstream” services that cannot enforce your defined access policy. This is the desired result from a privacy and security perspective (don’t distribute data where it can’t be protected appropriately), but it can impact desired uses of your group. For example, groups with a membership viewer control cannot be integrated and used in Azure Active Directory, and institutional groups without a defined access policy can’t enabled for use in UW Google.

To implement a variety of access policies, membership viewer controls can include to UW groups, individuals (by UW NetID), or applications (by UW CA certificate name). By default, membership viewer controls are empty, and groups without any membership viewer control can be viewed based on the default access policy (current faculty, staff, students, retired faculty and staff, as well as applications and other authorized exceptions). Additionally, membership viewer controls can be turned on and off without removing the current list of authorized clients: in the browser interface, the “no viewer restrictions” checkbox turns off viewer controls.

Examples of groups with more restrictive access policies include most institutional groups provisioned from institutional data sources: UW course groups are classified as Confidential and have membership viewer controls restricting access to members only and other authorized clients; similarly, UW major, minor, and curriculum groups are classified as Restricted and their membership viewer controls restrict access to UW employees only and other authorized clients.

Institutional Groups

Definition

Institutional groups are UW Groups that are automatically updated, nightly or in real-time, from institutional data sources using institutional practices for data management: standard business definitions for membership, published data quality standards, and operational practices to clean and augment data over time. Data custodians for UW institutional data can integrate data for their business domains into the UW Groups service. Examples include:

Refer to UW institutional groups to learn more.

Benefits

For many UW organizations, using institutional groups, incorporating them into their own UW Groups, and applying them appropriately in multiple application contexts is essential to organizational efficiency.

Learn more

More about the groups service itself:

More about some of the applications that have integrations with groups:

More about groups integration: