...
When new groups are created that share a prefix, the requirement is that any defined group “lsst_N” is a superset of any subgroups, i.e. “lsst_N_1”, “lsst_N_2”. This requirement is made with the understanding that LDAP does not have a notion of subgroups and cannot enforce this requirement. It is expected to be enforced through LSST’s identity management auditing process.
Note: the above scheme allows for a group name of "lsst". This is an alias of "lsst_users". Also, if optional prefixes are not present then the underscores are not needed.
Staff Groups
For internal LSST staff, default groups hall be created with the prefix of:
...