Identity and Access Management

OIAM Group Naming Convention Standard

Last modified 11/6/2024

Group Naming Conventions

A group would follow the naming convention outlined below:

  • The group name will be all lower case.
    • This would help keep consistency for systems that are case sensitive.
  • The only use of the underscores ("_") will be to separate out group naming components.
    • Example - app_confluence_space_tsendpointsupport_members
  • No space (" ") characters.
  • Groups should have a prefix that begins with the group types that are listed below.
    • No departmental/team prefixes

Group Types 

  • Application Groups (app_)

Used For

Application related groups

Grouper Group Type

Access Policy Group - Published to All Directories

Group Naming Components

Structure

[Prefix]_[Application]_[Configuration]_[Sub-Configuration]_[Sub-Configuration Cont]

Prefix

"app"

Application

Name of the application

Configuration

Setting / Role Based Access Control object / configuration inside of the receiving application

Sub-Configuration

Subsequent settings / Role Based Access Control objects / configurations of the previous setting. You can continue Sub-Configurations if more than one is needed using underscores.

Examples

app_confluence_space_tsendpointsupport_members
app_configmgr_adminusers_tsendpointsupport_read
app_dfs_namespace_admin
app_jamf_access_site_atendpointsupport_administrator
app_jamf_access_site_atendpointsupport_auditor
app_jamf_access_full_auditor

  • Email Groups (email_)

Used For

Distribution lists, shared mailboxes, rooms, and equipment in Exchange Online

Grouper Group Type

Access Policy Group - Published to Azure AD

Group Naming Components

Structure

[Prefix]_[EmailObject]_[Configuration/Address/Name]_[Address]

Prefix

"email"

EmailObject

Distribution List - "dist"
Shared Mailbox - "mailbox"
Room - "room"
Equipment - "equipment"

Configuration / Address / Name

The type of configuration for the email object (example: "sendas") or the beginning of the email address or object name

Address

If a configuration component was set, then the address would come after.

Examples

email_dist_tsccastaff
email_dist_sendas_tsccastaff
email_mailbox_tsevents
email_room_jh301
email_equipment_tscheckoutlaptop1

  • File Server Access Groups (file_)

Used For

Access to file server shares and ACLs on network folders

Grouper Group Type

Access Policy Group - Published to All Directories

Group Naming Components

Structure

[Prefix]_[ServerName]_[ShareName]_[Folder]_[Permission]

Prefix

"file"

ServerName

The name of the server that is hosting the share or network folder.

ShareName

The name of the share on the server.

Folder

If there is a folder in the share that has different permissions than the share. Mostly used in large shares with access-based enumeration.

Permission

Type of permission granted in the ACL.

Read or Read/Execute - "r"
Read/Write - "rw"
Full Control - "full"
List/Create - "lc"  (Commonly found in User Folder Redirection)

Examples

file_atscanfiles01_scans_jh205mfp_rw
file_atfileserver04_folders_cca_r
file_tscmsite07_tools_full

  • Microsoft 365 Groups (m365_)

Used For

Microsoft 365 groups (aka Unified groups)

Grouper Group Type

Access Policy Group - Published to Azure AD

Group Naming Components

Structure

[Prefix]_[Type]_[Name]

Prefix

"m365"

Type

Course Sections - "course" (See below section - "School Data Sync")
Projects - "project" 
Team/Department/Private Group - "team"
Public Groups / Users Groups / Gatherings - "public"
Sharepoint Sites - "sharepoint"

Name

Name of the Microsoft Teams' Team.

Examples

m365_project_10221organizead
m365_project_20292selfservicegrouper
m365_team_tscca
m365_team_tsuc
m365_team_tsoiam
m365_team_isuitstaff
m365_public_ansibleusergroup
m365_public_grouperusergroup
m365_public_isurobotlunch
m365_sharepoint_sharepointname

School Data Sync

Teams are created by the Microsoft School Data Sync tool, will have an exemption from the naming standard, per technical limitations.

  • Printer Access Groups (print_)

Used For

Access to printers and print queues

Grouper Group Type

Access Policy Group - Published to All Directories

Group Naming Components

Structure

[Prefix]_[ServerName]_[PrinterName](_[Queue])

Prefix

"print"

ServerName

The name of the server that is hosting the printer.

PrinterName

The name of the printer.

Queue

If the printer has multiple queues, you should append the queue name.

Mono/Black & White - "black"
Color - "color"

Examples

print_tsprint08a_jh206copier_black
print_tsprint08a_jh206mfp_color
print_tsprint08a_jh111printer
print_tsprint08b_jh001plotter

  • Reference Groups (ref_)

Used For

Creating population sets in Grouper to then be used in other groups for membership. To replace traditional "role" types of groups.  

Grouper Group Type

Reference Group - Internal to Grouper, Not Published to the Directories

Group Naming Components

Structure

[Prefix]_[Department]_([Team])_[Type]_[SubType]

Prefix

"ref"

Department


Team


Type

employee
student
affiliate

Sub Type

primary
privileged
emulator
work - Only applies to type "student"

Examples

ref_techsolutions_oiam_student_work
ref_techsolutions_oiam_student_privileged
ref_techsolutions_oiam_student_primary
ref_techsolutions_oiam_employee_privileged
ref_techsolutions_oiam_employee_primary
ref_techsolutions_oiam_employee_emulator