Skip to main content

Managing groups

Note

Added group member support for differing objectClass attributes in Connector Pack 4.5.0.

You can configure Bravura Security Fabric ’s workflow engine to manage group membership on LDAP systems. You can also map profile attributes to the _groups pseudo-attribute on the target so that users can select groups when making a request. However, this method is currently incompatible with group management through Bravura Security Fabric ’s workflow configuration. Changes made in one method are not updated in the other.

Group membership management for groups of objectclass: posixGroup can be performed through Bravura Security Fabric ’s workflow configuration.

In multiple object LDAP schema environments, multiple group members of differing objectClass attributes may also be added to or removed from LDAP groups. Multiple objectclasses may be specified within " groups " in the " address " kvgroup in the LDAP attribute script file.

For more information see Account attributes and Groups.

Updating group attributes

Group attributes may be mapped for the _container_dn pseudo-attribute on the LDAP Directory Service server so that users can move a group to a different container to move contexts.

The _container_dn group attribute is mapped to the GROUP_OU resource attribute by default. The group attribute may be overridden to allow for a new container to be specified when updating the group by setting the value for ’Action when updating group’ from ’None’ to ’Set to specified value when mapped profile attribute changes’.

The GROUP_OU resource attribute is then added as a member for the GROUP_INFO_UPDATE resource attribute group. A user may then specify a new container for the group when making a request to update attributes for a group.

Group attributes may also be mapped for an attribute on the LDAP target system such as cn so that users can rename a group id. In this case, a new resource attribute may be added for the custom attribute and added as a member to the GROUP_INFO_UPDATE resource attribute group. A custom cn group attribute is then added for the LDAP Directory Service target and mapped to the resource attribute along with the value for ’Action when updating group’ being set to ’Set to specified value when mapped profile attribute changes’.

A user may then specify a new group id for the group when making a request to update attributes for a group.

In this section: