Group Attributes Support

Network users can be mapped to a role based on group membership (distribution list) information. When a user is detected by identity manager, it retrieves the groups in which the detected user is member of from the LDAP server. Identity manager places the user under the appropriate role, based on group information and existing eight LDAP attributes.

You can specify the group name in the role's match criteria while creating the role. For example, the role creation command will appear as follows:

1  Create identity-management role Role1 match-criteria "memberOf==EXOSCLI-Review"
2  Create identity-management role Role2 match-criteria "title==Engineer; AND memberOf==PI_SW"  
A role's match criteria accepts all of the following operators: ==, !=, contains, AND, and OR.


A combination of AND and OR is not supported in the match criteria definition of the role.
You can specify groups of the following types in match-criteria:
  • direct-membership: the user is a direct member of the group specified in role match-criteria.
  • hierarchical-membership: the user is not a direct member of the group specified, but comes under a specified group, per the hierarchy of the Active Directory (i.e., nested groups). Hierarchical groups are supported in Windows Server 2003 and later. Some LDAP servers may require special OID to perform a hierarchical search.
When a user is detected by identity manager, the following things occur:
  • Identity manager retrieves eight LDAP attributes as supported before the 15.3 release, and also the Distinguished Name of the user.
  • If any role's match criteria contains group attribute, a second LDAP query is created using the Distinguished Name of the user to retrieve all of the groups that the user is a member of. If an OID is configured for the hierarchical search, it will be used to form this LDAP query.
  • Role determination takes place based on the group membership information and other LDAP attribute values.
The following optimizations are completed with respect to the LDAP query for Group Attributes:
  • All of the group names used in every role configuration are collected and stored in a global database. When the LDAP query returns a list of the user's groups, the group names are cached against the user and used for role determination. The optimization is that only the group names used for role configuration are cached. The rest of the group names are discarded.
  • The second LDAP query is not sent if the group attribute (i.e., memberOf) is not used in any role.