Administration Guide › Set Up Groups and Roles › Groups and Roles › Types of Groups and Roles

Types of Groups and Roles

There are three kinds of groups in CA Directory. Static and dynamic groups are very similar, and we recommend that you use one of these rather than access control groups.

Static groups and roles

A static group is an entry in the directory with a member attribute, which stores a list of the DNs of the entries that are members of this group.

If you set up static groups, you can then use static roles, to which you can assign access controls.

Dynamic groups and roles

A dynamic group is an entry in the directory with its membership defined by an LDAP filter. All entries that satisfy this filter are members of the dynamic group.

If you set up dynamic groups, you can set up dynamic roles to which you can assign access controls.

Access control groups

Access control groups are defined in a configuration file. Each group includes a list of member DNs. You can assign access controls to each group.

Because the groups are in the DSA configuration, you must restart the DSA to add or delete groups, and to add or remove members from the group.

If you already use access control groups, you can keep using them. However, we recommend that for new groups, you use static or dynamic groups instead, because they are more flexible and powerful, for the following reasons:

• Access control groups are less flexible—To add, delete, or change members in a static or dynamic group, you need to edit only the group's entry in the directory. You do not need to restart the DSA as you do with changes to access control groups.
• Access control groups are less powerful—Applications can use static and dynamic groups because they are directory entries. You can also extend these groups to form roles, which the directory itself can use for access controls and role-specific configuration.