Dynamic groups and nested group support

Dynamic and nested groups simplify WebSphere Application Server security management and increase its effectiveness and flexibility. Dynamic groups contain a group name and membership criteria:

• The group membership information is as current as the information on the user object.

• There is no need to manually maintain members on the group object.

• Dynamic groups are designed so an application does not need a large amount of information from the directory to find out if someone is a member of a group.

Nested groups enable the creation of hierarchical relationships that are used to define inherited group membership. A nested group is defined as a child group entry whose distinguished name (DN) is referenced by a parent group entry attribute.

You only need to assign a larger group if all nested groups share the same privilage. Assigning a role to a single parent group simplifies the run-time authorization table.

Related concepts

Locating a user's group memberships in Lightweight Directory Access Protocol

Lightweight Directory Access Protocol user registries

Related tasks
Configuring dynamic and nested group support for the IBM Tivoli Directory Server
Configuring dynamic and nested group support for the SunONE or iPlanet Directory Server
Using specific directory servers as the LDAP server