Administration Guide › Set Up Groups and Roles › Set Up Groups and Roles › Setting Up Dynamic Directory Roles › Create a Dynamic Role

Create a Dynamic Role

For each dynamic role, you need to create an entry in the roles subtree using one of these auxiliary object classes:

• dxDynamicGroupOfNames

  This object class contains an attribute groupOfNames, which you can use to store the DN.

• dxDynamicGroupOfUniqueNames

  This object class contains an attribute groupOfUniqueNames.

All role entries must be stored in the same subtree.

To create a dynamic role

1. Add a value to the dxMemberURL attribute of a dynamic group containing a search filter in LDAP URL form:

   ldap:///base-dn??scope?filter
   

   • base-dn

     Specifies the base object for the filter search.

   • scope

     (Optional) One of the following:

   • sub

     Specifies that the filter searches the entire subtree below the base DN.

   • base

     (Default) Specifies that the filter returns just the DN.

   • one

     Specifies that the filter searches one level below the base DN.

   • filter

     (Optional) Defines the LDAP search filter, for example:

     	(|(group=teachers)(group=students))
     

2. Save the change to the entry.

   The role is applied to members when they next log in to the directory.

Example: A Dynamic Role Entry

This example shows a dynamic group entry that is used as a role.

The entry is shown in LDIF format:

dn: cn=Manager,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
objectClass: top
cn: Manager
dxMemberURL:: bGRhcDovLy9jPVFVSz9zdWI/AHNuPOR1bWVsZWXvssUpIA=0

The DN in the dxMemberURL attribute is encoded, because of the attribute's syntax. The unencoded value is as follows:

ldap:///o=Democorp,c=AU??sub?(position=manager)

In this URL, the search's base object and scope are ignored.