How to setup Nested Groups in Enterprise Manager
search cancel

How to setup Nested Groups in Enterprise Manager


Article ID: 9651


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


It is possible to use nested groups while setting up scoping rules in roles for privileged account access in Enterprise Manager. 

Once enabled Enterprise Manager looks at the Active Directory attribute wbemPath to know which groups are nested in AD. There is no native support for nested groups so each group that is nested and will be used in Enterprise Manager must have the wbemPath updated to list the underneath groups.  In order to see the wbemPath value in Active Directory User and Computers you must enable the Advanced Features in the View Menu. 


Enterprise Manager 12.9+ using Active Directory as the user store.


You will first need to update ac-dir.xml under Directory Groups Behavior so that it will look for nested groups. You can get access to ac-dir.xml from our idmmange page. Export the xml and search for GroupTypes by default this is set to DYNAMIC. You will need to update this to be set for ALL. 


<!--   ******************** Directory Groups Behavior ********************   --> 
 	<!-- OPTIONAL - GroupTypes determines what kind of groups Identity Manager will use. --> 
 	<!-- GroupTypes consists of the following attributes:  --> 
 	<!-- 1. type - indicates the type of groups Identity Manager uses  (NONE, ALL, DYNAMIC, NESTED)  --> 
 	<!-- If type is ALL or NESTED, be sure to determine and configure the nested group membership --> 
 	<!-- if the nested group members are to be stored in a separate static member list, the an additional  --> 
 	<!-- ImsManagedObjectAttribute for %NESTED_GROUP_MEMBERSHIP% will need to be provided  --> 
 	<!-- in the definition for the Group Managed Object.  -->
	<GroupTypes type="ALL"/>

Once set you will need to update the ac-dir.xml in one other location so that the import will succeed. Look for <Container objectclass="top,organizationalUnit" attribute="ou"/> and after "ou" add value="". 


<Container objectclass="top,organizationalUnit" attribute="ou" value=""/>

Import the ac-dir.xml back into idmmange and go to Home › Environments › ac-env › Advanced Settings › Miscellaneous. Please make sure that SkipLDAPDynamicGroupSearch and StoreADUsersInCache is set to false. If you set UseInMemoryEvaluation make sure it's value is 3. 

Now Enterprise Manager is fully setup to see nested group in scoping rules. You will also need to update each group you will reference in scoping rules so that the nested groups are set in the wbemPath attribute. 


My top level group is SAMUsers. It's member is SAMAuthUser group. Users who need access are within the SAMAuthUser group. I have updated the wbemPath of SAMUsers to include the full DN of the nested group. 


You will need to add each member group one by one to this list. One this is done you can update your roles within Enterprise Manager to point to the top level group. Any groups and users within this group will be giving access based on the scope. 

Example Role: Access Control for PUPM Privileged Access Role



I added so that users who are members of group SAMUsers have access to privileged accounts under the Access Control for PUPM endpoint type. My user is not a direct member of SAMUsers but a member of the SAMAuthUser group which is nested under SAMUsers.