Administration GuideSet Up Groups and RolesStatic Groups and Roles › How Static Roles Work

Previous Topic: How Static Groups Work

Next Topic: Active Directory memberOf Attribute

How Static Roles Work

Static roles are an extension of static groups. Static roles let you control access to the directory itself, using groups in the directory.

To use static roles, you first need to set up static groups and then configure the roles.

When a user logs in to a directory with static roles, the following happens:

  1. The user logs in to the directory.
  2. The DSA authenticates the user.
  3. The DSA searches all of the groups in the specified subtree for the user's DN.
  4. If it finds any group that contains the user's DN in the member or uniqueMember attributes, it uses those groups as the user's roles for this connection.

    These roles are used in decisions about access controls and other role-specific configuration items.

If an access control or other configuration item is set for the whole DSA and for a user's role, the more generous setting applies to that user.

If you change the value of a role-based configuration item, the new value does not apply to users that are currently logged in. After they have logged out and back in again, the new settings apply.