Nested Groups

Beginning with version 2 of the MLDAP ESM Module (available in Enterprise Server 2.3 and some hotfixes for Enterprise Server 2.2 Update 2), you can specify groups as members of other groups. This nested groups feature lets you add users to groups through a form of inheritance and create large user groups.

No special module configuration is required to use nested groups. To include group A in group B, simply add group A to the list of members for group B. In this case group B is known as a supergroup of group A. Users who belong to group A will now also belong to group B.

Nested groups are generally most useful when All-Groups Mode is enabled, but do not require it.

Applications

Nested groups may be useful for various purposes:

  • Large groups. In the Micro Focus LDAP, user groups are implemented as LDAP objects with membership information stored in the multivalued microfocus-MFDS-Group-Member attribute. LDAP servers generally have restrictions on how large an attribute can be, which limits the number of members that a group can have. Nested groups can be used to create a group with a large number of members. For example, to create an ALLUSERS group with thousands of users, you might create a USERSA group with all the users whose user IDs begin with "A", a USERSB group, and so on; then make the USERSA, USERSB, ... groups members of ALLUSERS. USERSA and its sibling groups may never be used for any other purpose (for example, there may not be any ACEs that assign permissions to those groups); they exist just to let ALLUSERS contain all the user accounts.
  • Group hierarchies. Sometimes user groups conceptually form a hierarchy. For example, there might be groups for individual project areas (UI, ENGINE, etc), all of which are part of a larger DEVEL group. Nested groups lets you represent this arrangement by including the more-specific groups in the larger group.
  • Simplified group and permission management. Nested groups can reduce the number of groups a user needs to be explicitly added to, in order to correctly represent that user's position in the organization and assign the correct permissions. That can make it simpler to update group membership when adding and removing users.

Limitations

Not all ESF Administration features currently work correctly with nested groups. If you use nested groups, Micro Focus recommends administering them with the esfadmin command's ADDMEMBER and DELMEMBER sub-commands, or with LDAP tools operating directly on the LDAP repository, rather than using the MFDS graphical user interface. The LISTREFERENCES sub-command (and ESF Admin API function) does not currently show supergroup membership; that also means that the Referential Integrity Sample User Exit does not recognize that users belong to supergroups.

Group membership changes, including changes in how groups are nested, are recognized when a user signs on to a region for the first time after that region is started. You can also instruct the region to update its information about group membership by sending it an ESF update request using the MFDS administration user interface or the esfupdate command-line utility.

Nesting a group using esfadmin

Assume Alice belongs to the PROJ1 group. We can add PROJ1 to the DEV group using the esfadmin command:

esfadmin options ADDMEMBER GROUP=DEV MEMBER="PROJ1 group"

Now Alice will belong to both PROJ1 and DEV.

Nesting a group using LDIF

The following LDIF fragment creates the AUDIT and FINANCE groups, and makes AUDIT part of FINANCE:

dn: cn=AUDIT,CN=Enterprise Server User Groups,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
adminDisplayName: Audit group
objectClass: microfocus-MFDS-Group
microfocus-MFDS-UID: AUDIT
description: ES auditors group

dn: cn=FINANCE,CN=Enterprise Server User Groups,CN=Micro Focus,CN=Program Data,DC=X
changetype: add
adminDisplayName: Finance group
objectClass: microfocus-MFDS-Group
microfocus-MFDS-UID: FINANCE
description: ES finance group
microfocus-MFDS-Group-Member: AUDIT group