Dynamic groups and nested group support

Dynamic and nested groups simplify WebSphere Application Server security management and increase its effectiveness and flexibility. Dynamic groups contain a group name and membership criteria:

• The group membership information is as current as the information on the user object.

• There is no need to manually maintain members on the group object.

• Dynamic groups are designed so an application does not need a large amount of information from the directory to find out if someone is a member of a group.

Nested groups enable the creation of hierarchical relationships that are used to define inherited group membership. A nested group is defined as a child group entry whose distinguished name (DN) is referenced by a parent group entry attribute.

You only need to assign a larger parent group if all nested groups share the same privilege. Assigning a role to a single parent group simplifies the run-time authorization table.

Dynamic groups and nested group support for the IBM Tivoli Directory Server

WebSphere Application Server supports all Lightweight Directory Access Protocol (LDAP) dynamic and nested groups when using IBM Tivoli Directory Server. This function is enabled by default by taking advantage of a new feature in IBM Tivoli Directory Server. IBM Tivoli Directory Server uses the ibm-allGroups forward-reference group attribute that automatically calculates all the group memberships including dynamic and recursive memberships for a user. Security directly locates a user group membership from a user object rather than indirectly search all the groups to match group members.

For more information, see Configuring dynamic and nested group support for the IBM Tivoli Directory Server.

IBM Directory Services is the IBM Directory Server product that runs on the i5/OS platform. IBM Directory Server ships with either OS/400 V5 Release 2 or i5/OS V5 Release 3 and later. Fixes are required to provide full LDAP Version 5.1 support. For more information about IBM Directory Services and the necessary fixes, see iSeries Directory Services (LDAP): New V5R2 Enhancements.

When you create groups, ensure that nested and dynamic group memberships work correctly. Attention: Configure IBM Directory Services V5 Release 1 and earlier in WebSphere Application Server as the SecureWay directory type. Dynamic and nested groups are not supported in these previous releases of IBM Directory Services.

Dynamic and nested group support for the SunONE or iPlanet Directory Server

Groups

Entries that name other entries as a list of members or as a filter for members.

Roles

Entries that name other entries as a list of members or as a filter for members. Additional functionality is provided by generating the nsrole attribute on each role member.

Filtered roles

Depends upon the attributes that are contained in each entry. Entries are members, if they match a specified Lightweight Directory Access Protocol (LDAP) filter. This role is equivalent to a dynamic group.

Nested roles

Creates roles that contain other roles. This role is equivalent to a nested group.

Managed roles

Explicitly assigns a role to member entries. This role is equivalent to a static group.

Refer to Configuring dynamic and nested group support for the SunONE or iPlanet Directory Server for more information.

Related concepts

Related tasks