Identity Services provides support for creating ad-hoc groups of individuals via our Group Tagging service. The use-case for group tagging is that a group owner can manually tag individuals as belonging to a particular group, and then use that tag programatically to identify individuals later (e.g. to authorize access to a particular application or service).

• Any employee can request a group tag be created for their particular need.
• We'll create a group tag – a string of the form [dept]_[application] – and assign one or more owners to the tag.
• Once created, the tag owners can use our Group Tagger application to manage assignment of individuals to their group tags.
• The group tag assigned will be reflected in the individual's Identity Services record via the ucsbGroup attribute. This attribute can be queried via LDAP or requested as part of a Shibboleth attribute request.