2.3 Creating Dynamic Groups

This solution uses dynamic groups to define the criteria required to receive a Roles Based Provisioning Module role. Dynamic groups allow you to specify the criteria used to evaluate membership in the group. For more information about dynamic groups, see the AppNote How to Manage and Use Dynamic Groups

To create a dynamic group for all active employees:

  1. Log in to iManager as an administrative user.

  2. Click Directory Administration > Create Object under Roles and Tasks.

  3. Select Dynamic Group from the available object classes list, then click OK.

  4. Use the following information to create the dynamic group:

    GroupName: Specify a unique name for the group. For example, Active Employees.

    Context: Browse to and select the container where you want to create the dynamic group.

    Dynamic Group: Select the option to create the dynamic group.

    Nested Group: For this solution, do not select this option.

    Set Owner: Select this option to set the logged-in user as the owner.

  5. Click OK, then click Modify.

  6. In the Description field, specify a description for this role.

    IMPORTANT:The description is the value displayed for the group in the User Application. If there is no description value, the group is not displayed in the User Application.

  7. Click the Dynamic tab.

  8. Use the following information to define the criteria for membership in this dynamic group:

    Query: If you have more than one requirement for the dynamic group, click the plus icon to add another query.

    Start search at(Base DN): Specify the DN of the starting location to perform the search for members of the group.

    Search Scope: Specify a scope for the search. If you don’t specify a scope, the base scope is assumed. The options are:

    • Search Base DN searches only the base object.

    • Search One Level searches the direct subordinates of the base object. The base object is not searched.

    • Search Sub Containers searches the base object and all objects in the subtree below it.

    Search Multiple Servers: Select whether the search should include multiple servers or only the server containing the dynamic group object. If you select yes, the server communicates with other servers while searching for dynamic members. If you select no, a local search is performed for dynamic members.

    NOTE:If you select to search multiple servers for dynamic members, it can take a long time for the results to be returned.

    Search Filter Read Write Replica: Select whether to search for dynamic members in the Filtered Read Write replica. This option is enabled only if you have selected no for Search Multiple Servers.

    Search Filter: Define the criteria for membership in the dynamic group.You can type the text if you know the proper syntax, or you can launch the Advance Selection Criterion Wizard to define the criteria.

    For an object to become of a member of the dynamic group, this solution requires that it must have an objectClass that is equal to inetOrgPerson and that the attribute of employeeStatus is equal to Active.

    Defining criteria

  9. Click OK to save the changes.

  10. Create a second dynamic group where the objectClass is equal to inetOrgPerson and the Title attribute is equal to Finance Clerk.