Groups › Create a Dynamic Group

Create a Dynamic Group

You can create a dynamic group by defining an LDAP filter query using the User Console to dynamically determine group membership at runtime without having to search and add users individually.

For example, if you wanted to generate a group that lists all U.S. employees of NeteAuto, you could define an LDAP search filter similar to the following in the Dynamic Group Query field of the User Console:

ldap:///cn=Employees,o=NeteAuto,c=US??sub

You could also modify this query to locate employees outside the United States.

Static, Dynamic, and Nested Groups Example shows an example of a group created by static, dynamic, and nested groups.

You include Dynamic Group Query field in the task by editing the associated profile screen. It is not included by default in the Create Group task.

Note: To enable dynamic groups, system administrators configure support in the directory configuration file (directory.xml):

• Add the GroupTypes element in the Directory Groups Behavior section as follows:

  <GroupTypes type=type>

  type can be NESTED, DYNAMIC, or ALL.

  GroupTypes is case-sensitive.

• Map the %DYNAMIC_GROUP_MEMBERSHIP% well-known attribute to a physical attribute that exists in the user store.

To create a dynamic group:

1. In the User Console, select Groups, Create Group.
2. Choose to create a new group or a copy of a group and click OK.
3. On the Profile tab, enter a group name, group organization, description, and group administrator name.
4. Enter an LDAP search filter like the following example in the Dynamic Group Query field:

   ldap:///cn=Employees,o=NeteAuto,c=US??sub?

5. Click Submit.

Note: Only an administrator with the Modify Group task can change a group’s dynamic membership.