11. Appendix 4 - Registration of group-IDs in eduPersonEntitlement#

To be able to retrieve all members within a group, group-IDs have to be registered on person objects to all that are members of the group. In Feide, the field eduPersonEntitlement is chosen for group-IDs.

Group-IDs are quite similar when compared to the groups a person is member of, but they will be equal for all members regardless of the role within the group. They have a much higher demand to design which makes it possible to use them as unique identifiers.

The person’s information about group-IDs is constructed in such a manner that it will be connected to each school the person is affiliated to.

11.1. Everyone affiliated with the group shall have the identifier registered#

All person’s affiliated with a group shall the the equivalent group-ID registered on their person object. This will in most cases be students and teachers, but can also be other persons with a formal connection to the daily work within the group.

Group identifiers shall contain the groups a person is currently affiliated to. It is not expected that information regarding historical group-IDs is kept.

11.2. Relation to group information#

There should be a direct correlation between the list of groups registered on a person and the list of group-IDs. A person object shall not have registered a group without a correlating group-ID, and similarly should not have any group-ID without a correlating group.

11.3. Construction of group-IDs#

Group-ids in Feide are global in scope and unique over time. They will therefore contain more information than what is normally necessary for internal use at a school-owner.

Each group-ID which is registered for a person contains 5 information elements:

Information element Description
Group type Shows which type of group this is. Valid values are 'b', 'u' and 'a' for respectively basis-group, educational group and other group.
Organization number/
business number
Organization number/business number to the school/school-owner the group belongs to. For most groups, this will be connected to the school, but there might be groups connected directly to the school-owner.
Local group-ID An identifier of the group where name standards are defined by the school/school-owner. Shall be unique within the school/school-owner the group belongs to.
Start time The first day the group is active/valid. ISO 8601 extended format for date, YYYY-MM-DD.
End time The last day the group is active/valid. ISO 8601 extended format for date, YYYY-MM-DD.

11.4. Formatting of group-IDs#

Each group identifier is registered as a new line within eduPersonEntitlement. The format for the identifiers is stricter than group affiliation described in Appendix 3 for uniquely identification of groups.

The line shall start with the prefix ’urn:mace:feide.no:go:groupid:’ followed by each of the information elements in the same order as the table above. The information elements uses ‘:’ as separator.

To be able to transfer values from one system to another, RFC 8141 and RFC 3986 defines which values are valid, which values that are used directly and which values have to be percent-encoded. URNs are limited to ASCII so the main part of special characters and norwegian characters have to be percent-encoded in the transfer. First it will be translated to UTF-8, then over to US-ASCII (RFC 8141 2. Syntax). This is performed by translating these characters to %<hex><hex>. The hexadecimal letters A-F *shall* be written in capital letters. For instance the norwegian character ‘å’ will be translated from UTF-8 into two octets that will then be encoded and become %C3%A5.

All characters which are “unreserved” in 2.3 within RFC 3986 shall be written directly, while all other characters shall be percent-encoded.

The characters that will be written directly are:

  • a-zA-Z (ALPHA)

  • 0-9 (DIGIT)

  • - (minus)

  • . (period)

  • _ (underline)

  • ~ (tilde)

<Space>/space is a special case which has to be thoroughly controlled. Quite a few functions for percent-encoding codes this into a + which deviates from RFC 3986. The correct value for URNs are %20. Host organizations have to verify that this is correct.

For group-IDs ; is used as separator between information elements. If this character is used inside the information elements, for instance in the local group-ID, this has to be encoded as %3A.

Information elements in the group-ID have different demands for the use of uppercase and lowercase letters:

  • Group type: Shall only contain one lowercase letter. Example: b

  • Organization number/business number: Shall only contain uppercase letters and numbers. Example: NO975278964

  • Local group-ID: Shall be written in lowercase letters before percent-encoding. All hexadecimal letters within percent-encoded values shall be uppercase, A-F. Example: 6a-kr%C3%B8 (6a-krø)

  • Start time: Shall only contain numbers and -. Example: 2014-08-01

  • End time: Shall only contain numbers and -. Example: 2015-06-15

11.5. Examples with group-IDs in eduPersonEntitlement#

These examples correlate with examples for group information in Appendix 3.

11.5.1. Student in basis-group/class 6A at Berg skole (Trondheim kommune)#

Group type: b
Organization number: NO975278964
Local group-ID: 6A
Start time: 1. aug 2014
End time: 15. juni 2015


11.5.2. Teacher in educational group 2kja at Tiller vgs#

Group type: u
Organization number: NO974558386
Local group-ID: 2kja
Start time: 1. aug 2014
End time: 15. juni 2015


11.5.3. Student in educational group Norsk VG3 at Tiller vgs#

Group type: u
Organization number: NO974558386
Local group-ID: 3aaa/3nh
Start time: 1. aug 2014
End time: 15. juni 2015


11.5.4. Student in lab-group 3 Fysikk VG3 at Tiller vgs#

Group type: a
Organization number: NO974558386
Gruppe-ID: 3fysa/lb3
Start time: 1. aug 2014
End time: 31. des 2014