How to configure IM to create dynamic group with members visible in CA Directory?
search cancel

How to configure IM to create dynamic group with members visible in CA Directory?

book

Article ID: 37199

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

How to configure IM to create dynamic group with members visible in CA Directory?

Environment

Release: 14.X
Component: IDMGR

Resolution

To enable Dynamic groups in Identity Manager you need to follow this document.

If you want to make it so all the members of dynamic group will be visible in the member attribute in CA Directory instead of only in IM User UI please follow steps below.

If you are using different product that utilizes CA Directory but not Identity Manager you will also need to follow steps below till step 5.

Assumption: IM is working and can create static group.

  1. Enable dynamic groups in CA Directory

Dynamic roles are based on the dxMemberURL attribute of the following object classes:

  •         dxDynamicGroupOfNames
  •         dxDynamicGroupOfUniqueNames

 

You can add one of these attributes to a groupOfNames or groupOfUniqueNames object class, respectively so that dxMemberURL can be included.

  1. Stop the DSA
  2. Add the following commands to the the DSA's settings under \CA\Directory\dxserver\config\settings:

 

set dynamic-group [tag] = {

objectclass = object-class

url-attr = attribute

member-attr = attribute

};

For example if your Userstore DSA is using Userstore.dxc file edit it, if your userstore DSA is using default config file edit default.dxc.

You can check which file is used in:

CA\Directory\dxserver\config\servers\<name of your userstore>.dxi

under

# operational settings
source "../settings/UserStore.dxc";

*** See Additional information if you are using Management UI for CA Directory ***

  1. Start DSA
  2. Export corporate directory in IM

 

 

 

  1. Edit the directory xml file by adding

 

objectclass="dxDynamicGroupOfUniqueNames"

and modifying

physicalname="memberURL" to physicalname="dxMemberURL"

 

to managed object attribute  %DYNAMIC_GROUP_MEMBERSHIP%

 

For example,

 

<ImsManagedObjectAttr physicalname="dxMemberURL" description="Dynamic Group Query"  objectclass="dxDynamicGroupOfUniqueNames" displayname="DynamicGroup Query" valuetype="String" multivalued="true" wellknown="%DYNAMIC_GROUP_MEMBERSHIP%" maxlength="0" hidden="true" system="true" searchable="false"/>

 

  1. Save the change, update the IM directory, and restart the environment when being prompted.
  2. Verify the change is updated into IM directory

 

 

  1. Create a dynamic group via IM User Console

 

 

All users with title contains “Manager” are now added as members:

 

 

From JXplorer, the dynamic group looks like this:

 

 

Additional Information

Above instruction assumes you are not using CA directory Management UI to make changes in your DSA's.

If you do you will need to perform some steps in the Management UI instead of direct changes in the file.

Changes from step 3 you will have to put under tab  "raw settings" after you edit your User DSA in Management UI.

set dynamic-group [tag] = {

objectclass = object-class

url-attr = attribute

member-attr = attribute

};

More details about CA directory dynamic groups you will find under this link.

Also please be aware that objectclass and object-class are the same and both will work here.

 

Attachments

1558723338523000037199_sktwi1f5rjvs16wt9.png get_app
1558723336646000037199_sktwi1f5rjvs16wt8.png get_app
1558723335025000037199_sktwi1f5rjvs16wt7.png get_app
1558723333256000037199_sktwi1f5rjvs16wt6.png get_app
1558723331664000037199_sktwi1f5rjvs16wt5.png get_app
1558723329592000037199_sktwi1f5rjvs16wt4.png get_app
Powered by Wolken Software