Group Attributes Support

Network users can be mapped to a role based on group membership (distribution list) information. When a user is detected by identity manager, it retrieves the groups in which the detected user is member of from the LDAP server. Identity manager places the user under the appropriate role, based on group information and existing eight LDAP attributes.

You can specify the group name in the role's match criteria while creating the role. For example, the role creation command will appear as follows:

1  Create identity-management role Role1 match-criteria "memberOf==EXOSCLI-Review"
2  Create identity-management role Role2 match-criteria "title==Engineer; AND memberOf==PI_SW"  
A role's match criteria accepts all of the following operators: ==, !=, contains, AND, and OR.


A combination of AND and OR is not supported in the match criteria definition of the role.
You can specify groups of the following types in match-criteria:
When a user is detected by identity manager, the following things occur:
The following optimizations are completed with respect to the LDAP query for Group Attributes: