Dynamic groups and roles work in the same way as static groups and roles, except for one major difference: a dynamic group does not store each member DN in its directory entry.
Instead, dynamic groups base the role membership on an LDAP filter.
Each dynamic group entry includes an LDAP search request that is executed when a base-object search is performed on the dynamic group entry. This search finds all the directory entries that satisfy the search filter. These entries are members of the group.
You cannot make the same entry work as both a static and a dynamic role.
Dynamic groups are useful when you know that you often need to change the membership of a group, because there is no overhead involved in maintaining the group data.
If a user is removed from the directory, then that user's entry is not found by the LDAP search when it is next evaluated, so the user is automatically removed from the dynamic group.
Dynamic roles are based on the dxMemberURL attribute of the following object classes:
You can use dynamic groups to create dynamic roles.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |