Create a Dynamic Role

Administration Guide › Set Up Groups and Roles › Set Up Groups and Roles › Setting Up Dynamic Directory Roles › Create a Dynamic Role

Create a Dynamic Role

For each dynamic role, you need to create an entry in the roles subtree using one of these auxiliary object classes:

dxDynamicGroupOfNames: This object class contains an attribute groupOfNames, which you can use to store the DN.
dxDynamicGroupOfUniqueNames: This object class contains an attribute groupOfUniqueNames.

All role entries must be stored in the same subtree.

To create a dynamic role

Add a value to the dxMemberURL attribute of a dynamic group containing a search filter in LDAP URL form:
```
ldap:///base-dn??scope?filter
```
base-dn

Specifies the base object for the filter search.

scope

(Optional) One of the following:

sub

Specifies that the filter searches the entire subtree below the base DN.

base

(Default) Specifies that the filter returns just the DN.

one

Specifies that the filter searches one level below the base DN.

filter
(Optional) Defines the LDAP search filter, for example:
```
	(|(group=teachers)(group=students))
```
Save the change to the entry.
The role is applied to members when they next log in to the directory.

Example: A Dynamic Role Entry

This example shows a dynamic group entry that is used as a role.

The entry is shown in LDIF format:

dn: cn=Manager,ou=Groups,o=Democorp,c=AU
objectClass: groupOfNames
objectClass: dxDynamicGroupOfNames
objectClass: top
cn: Manager
dxMemberURL:: bGRhcDovLy9jPVFVSz9zdWI/AHNuPOR1bWVsZWXvssUpIA=0

The DN in the dxMemberURL attribute is encoded, because of the attribute's syntax. The unencoded value is as follows:

ldap:///o=Democorp,c=AU??sub?(position=manager)

In this URL, the search's base object and scope are ignored.

Email CA Technologies about this topic