Configuration Guide › LDAP User Store Management › How to Configure Groups › Configure Dynamic and Nested Groups

Configure Dynamic and Nested Groups

If you are managing an LDAP user store, you can configure support for the following types of groups in the directory configuration file:

Dynamic Groups

Enables you to define group membership by specifying an LDAP filter query in the User Console dynamically. With dynamic groups, administrators do not have to search for and add group members individually.

Nested Groups

Enables you to add groups as members of other groups.

You can enable dynamic and nested groups using the directory configuration file.

Follow these steps:

1. Map the following well-known attributes to a physical attribute for the Group managed object as needed:
   • %DYNAMIC_GROUP_MEMBERSHIP%
   • %NESTED_GROUP_MEMBERSHIP%

   Note: The physical attribute that you select must support multiple values.

2. In the Directory Groups Behavior section, add the following GroupTypes element:

   <GroupTypes type=group>
   

3. Type a value for the following parameter:

   group

   Enables support for dynamic and nested groups. The valid values are as follows:

   • NONE—CA IdentityMinder does not support dynamic and nested groups.
   • ALL—CA IdentityMinder supports dynamic and nested groups.
   • DYNAMIC—CA IdentityMinder supports dynamic groups only.
   • NESTED—CA IdentityMinder supports nested groups only.

Once support for dynamic and nested groups is configured in the CA IdentityMinder directory, CA IdentityMinder administrators can specify which groups are dynamic and nested in the User Console.

Note: Consider that you have set the group type to NESTED or ALL without setting the %NESTED_GROUP_MEMBERSHIP% well-known parameter. In such case, CA IdentityMinder stores both the nested groups and users in the %GROUP_MEMBERSHIP% well- known parameter. Processing group membership may be slightly slower.