Group Attributes Support
Network users can be mapped to a role based on group membership
(distribution list) information. When a user is detected by identity manager, it
retrieves the groups in which the detected user is member of from the LDAP server.
Identity manager places the user under the appropriate role, based on group information
and existing eight LDAP attributes.
You can specify the group name in the role's match criteria while
creating the role. For example, the role creation command will appear as follows:
1 Create identity-management role Role1 match-criteria "memberOf==EXOSCLI-Review"
2 Create identity-management role Role2 match-criteria "title==Engineer; AND memberOf==PI_SW"
A role's match criteria accepts all of the following operators: ==,
!=, contains, AND, and OR.
A combination of AND and OR is not
supported in the match criteria definition of the role.
You can specify groups of the following types in match-criteria:
- direct-membership: the user is a direct member of the group
specified in role match-criteria.
- hierarchical-membership: the user is not a direct member of
the group specified, but comes under a specified group, per the hierarchy of the
Active Directory (i.e., nested groups). Hierarchical groups are supported in
Windows Server 2003 and later. Some LDAP servers may require special OID to
perform a hierarchical search.
When a user is detected by identity manager, the following things
- Identity manager retrieves eight LDAP attributes as
supported before the 15.3 release, and also the Distinguished Name of the
- If any role's match criteria contains group attribute, a
second LDAP query is created using the Distinguished Name of the user to
retrieve all of the groups that the user is a member of. If an OID is configured
for the hierarchical search, it will be used to form this LDAP query.
- Role determination takes place based on the group membership
information and other LDAP attribute values.
The following optimizations are completed with respect to the LDAP
query for Group Attributes:
- All of the group names used in every role configuration are
collected and stored in a global database. When the LDAP query returns a list of
the user's groups, the group names are cached against the user and used for role
determination. The optimization is that only the group names used for role
configuration are cached. The rest of the group names are discarded.
- The second LDAP query is not sent if the group attribute
(i.e., memberOf) is not used in any role.