Creating a Dynamic Group with Identity Manager

A dynamic group is not unlike any other LDAP group with but a few exceptions.  Its membership list is generated by an LDAP query rather than a direct DN assignment.  The power of a dynamic group within an IDM infrastructure, is that roles and entitlements can be granted to the dynamic group, and as a user’s attributes change, the entitlements can be granted or revoked based on the group membership rather than maintaining the entitlement on each individual user account.   As these entitlements can extend beyond the native directory of IDM, this can be a powerful tool for creating birthright roles and permissions across an enterprise.

In technical difference, a dynamic group, includes two additional attributes to perform this, dgIdentity and memberQuery.  The attribute, dgIdentity, is the DN of the user who will execute the LDAP query.  The attribute, memberQuery, is an Octet string that defines the LDAP query parameters.  It has a very particular format that is unique to each directory.

The following action executes the ECMAscript to build the memberQuery.  It requires the directory tree name, the context of the LDAP search, the attribute name to be used by the query, and the attribute value to build the LDAP query.

The following ECMAscripts, build the octet for the memberQuery attribute:

Adding these scripts and actions to your IDM drivers, will allow you to properly create the appropriate attributes for your dynamic group.  Good luck!

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *