Administration Guide › Set Up Groups and Roles › Static Groups and Roles › How Static Groups Work

How Static Groups Work

Static groups are entries in the directory that contain lists of the DNs of other entries.

An application can query the directory to check if a DN is contained in a particular group. The application can then use that information to grant or deny access to the user, or other changes.

Example: Static Groups for Application Administrators

This example describes how Company A, a large hotel management company, uses static groups in its staff directory.

Company A has hundreds of thousands of employees, all of whom are listed in the staff directory. The subtrees in this directory are divided by geography, and then by business unit.

The directory is used by many different applications, and each application needs to know which users should be allowed to administer that application. For example, the Payroll application gives extra privileges to users who are in the Payroll Administrators group.

When an employee logs in to the Payroll application, the following happens:

1. The user logs in to the Payroll application.
2. The application connects to the directory and searches for the user.
3. The application takes the DN of the user entry and searches the groups subtree for any groups in which this user is a member.

   In this example, the user is not in the Payroll Administrators group.

4. The application gives users the access only allowed to general employees. This might include permission to update their own address and view their salary, tax, and leave details.
5. If this user were in the Payroll Administrators group, the application would have given greater privileges, such as the ability to view and change the details of other employees.