Configuration Guide › LDAP User Store Management › How to Configure Groups › Configure Dynamic and Nested Groups

Configure Dynamic and Nested Groups

If you are managing an LDAP user store, you can configure support for the following types of groups in the directory configuration file:

Dynamic Groups

Enables you to dynamically define group membership by specifying an LDAP filter query in the User Console. With dynamic groups, administrators do not have to search for and add group members individually.

Nested Groups

Enables you to add groups as members of other groups.

You can enable dynamic and nested groups using the directory configuration file.

To configure a dynamic or nested group

1. Map the following well-known attributes to a physical attribute for the Group managed object as needed:
   • %DYNAMIC_GROUP_MEMBERSHIP%
   • %NESTED_GROUP_MEMBERSHIP%

   Note: The physical attribute that you select must support multiple values.

2. In the Directory Groups Behavior section, add the following GroupTypes element:

   <GroupTypes type=group>
   

3. Type a value for the following parameter:

   group

   Enables support for dynamic and nested groups. The valid values are as follows:

   • NONE—CA Identity Manager does not support dynamic and nested groups.
   • ALL—CA Identity Manager supports dynamic and nested groups.
   • DYNAMIC—CA Identity Manager supports dynamic groups only.
   • NESTED—CA Identity Manager supports nested groups only.

Once support for dynamic and nested groups is configured in the Identity Manager directory, Identity Manager administrators can specify which groups are dynamic and nested in the User Console.

Note: When you set the group type to NESTED or ALL without setting the %NESTED_GROUP_MEMBERSHIP% well-known parameter, CA Identity Manager stores both the nested groups and users in the %GROUP_MEMBERSHIP% well- known parameter. Processing group membership may be slightly slower.