13-14 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory ldapsearch -D cn=orcladmin -q -p 3060 -h myhost -b c=us \ -s sub cn;lang-it=Giovanni You can use the -X or -B options to ldapsearch to print binary values. See Also: Attribute Options on page 3-11 See Also: The ldapsearch command reference in Oracle Fusion Middleware Reference for Oracle Identity Management. 14 Managing Dynamic and Static Groups 14-1 14 Managing Dynamic and Static Groups This chapter explains how to administer both static and dynamic groups in Oracle Internet Directory. This chapter contains these topics: ■ Introduction to Managing Dynamic and Static Groups ■ Managing Group Entries by Using Oracle Directory Services Manager ■ Managing Group Entries by Using the Command Line Introduction to Managing Dynamic and Static Groups Oracle Internet Directory enables you to assign and manage membership in two types of groups—namely, static groups and dynamic groups. Each type of group suited for a different purpose. This section contains these topics: ■ Static Groups ■ Dynamic Groups ■ Hierarchies ■ Querying Group Entries ■ orclMemberOf Attribute ■ When to Use Each Kind of Group Static Groups A static group is one whose entry contains a list of members that you explicitly administer. Note: If you are creating a hierarchy of groups, be sure that it is a true hierarchy as described in Hierarchies on page 14-6. See Also: ■ Security Groups on page 29-4 for instructions on setting access control policies for group entries ■ Globalization Support on page 3-15 and Chapter 29, Managing Directory Access Control for information about access privileges 14-2 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory A static group requires you to explicitly administer its membership. For example, if a member changes his name, then you must change that users DN for each group he belongs to. For this reason, a static group is best suited for a group whose membership is unlikely to change frequently. Schema Elements for Creating Static Groups When you create the entry for this kind of group, you associate it with either the groupOfNames or groupOfUniqueNames object class. Each of these object classes has a multivalued attribute for storing the names of group members. To assign a user as a member of a group, you add the DN of each member to the respective multivalued attribute. Conversely, to remove a member from a group, you delete the members DN from the respective attribute. In the groupOfNames object class, this multivalued attribute is member, and, in the groupOfUniqueNames object class, it is uniqueMember. Dynamic Groups A dynamic group is one whose membership, rather than being maintained in a list, is computed, based on rules and assertions you specify. Oracle Internet Directory supports the following methods for dynamically computing the membership of the group: ■ Using orclDynamicGroup object class and labeleduri attribute ■ Using orclDynamicGroup object class and CONNECT_BY attributes ■ Using orclDynamicList object class and labeleduri attribute referred as dynamic list Dynamic groups can have static and dynamic members. The static members are listed as values of the member or uniquemember attribute. Cached and Uncached Dynamic Groups Dynamic groups can be cached or uncached. By cached, we mean that dynamic group members are computed and stored when the dynamic group is added, and that the member list is kept consistent when the dynamic group is later modified. As entries are added, modified, deleted, and renamed, the member lists of all dynamic groups are kept consistent. For example, if there is a dynamic group containing all person entries under c=us, when we add cn=user1,c=us, that entry is automatically added to the member list of the dynamic group. Similarly, when we delete cn=user1,c=us, the entry is removed from the dynamic groups member list. This feature ensures that whenever a search is performed for a dynamic group, the member list can be fetched from the stored data without any additional computation. The search performance for cached dynamic groups is almost the same as for static groups. Cached Dynamic Group Starting with Oracle Internet Directory 10g 10.1.4.0.1, dynamic groups based on orclDynamicGroup object class using labeleduri attribute are cached Uncached Dynamic Group ■ Dynamic groups based on orclDynamicGroup object class using CONNECT_BY attributes are not cached. ■ As of Oracle Internet Directory 11g Release 1 11.1.1.4, a second type of dynamic group based on labeleduri attribute is available. It is referred to as a dynamic Managing Dynamic and Static Groups 14-3 list, and its members are not cached. You determine whether a dynamic group based on the labeleduri attribute is cached or uncached by selecting the type of auxiliary object class your group is associated with, as described in Schema Elements for Creating a Dynamic Group on page 14-4. If you want a cached group, associate your group with the auxiliary object class orclDynamicGroup. If you want an uncached group, associate your group with the auxiliary object class or orclDynamicList object class. Enhancements to and Limitations of Dynamic Groups in Oracle Internet Directory In Oracle Internet Directory 10g 10.1.4.1 and later releases, you can use dynamic groups in the same ways you use static groups. For example, you can use them in: ■ Access control lists, by associating the group with either the orclACPgroup or the orclPrivilegeGroup object class. ■ Hierarchical group resolution queries Dynamic groups have the following limitations in Oracle Internet Directory: ■ Hierarchical queries and queries involving specific attributes of members can only be done on cached dynamic groups. Notes: ■ You cannot add a dynamic group based on the labeledURI attribute with scope base. Only scope sub and one are supported. ■ To refresh dynamic group memberships for dynamic groups using the orclDynamicGroup object class and labeleduri attribute, set the attribute orclrefreshdgrmems in the DSA Configuration entry to 1. Oracle Internet Directory recomputes the member lists for all dynamic groups and resets the value of orclrefreshdgrmems to 0. If there are many groups, this operation can take a long time to complete. ■ When you query for the groups that a user belongs to, dynamic groups based on the labeledURI attribute are automatically included in the result. Dynamic groups based on the CONNECT_BY assertion and dynamic lists must be explicitly queried. For example, assume nc=jdoe,cn=users,o=oracle is a member of three groups: labeleduri dynamic group dgrouplab1, CONNECT BY dynamic group dgroupcby1, and dynamic list dlist1. The search uniquemember=cn=jdoe,cn=users,o=oracle finds only the cached labeleduri dynamic group dgrouplab1. See Also: ■ About LDAP Controls in Oracle Fusion Middleware Reference for Oracle Identity Management for more information on controls used by Oracle Internet Directory ■ The C API chapter in Oracle Fusion Middleware Application Developers Guide for Oracle Identity Management ■ Performing Hierarchical Searches in Oracle Fusion Middleware Application Developers Guide for Oracle Identity Management 14-4 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory ■ Dynamic groups can only be added using ldapadd or ODSM. They cannot be added by using bulkload. ■ The attributes used in the LDAP filter part of the labeleduri must be indexed. See Creating and Dropping Indexes from Existing Attributes by Using catalog on page 15-11 and About Indexing Attributes on page 20-6. ■ You cannot change the objectclass of a dynamic group after the group has been created. You must delete the group and re-create it. ■ Searches for the uniquemember attribute will not pick up dynamic lists or CONNECT BY assertion-based dynamic groups. Schema Elements for Creating a Dynamic Group When you create a dynamic group, you begin as when creating a static group—that is, you associate its entry with either the groupOfNames or groupOfUniqueNames object class. You then associate that object class with the auxiliary object class orclDynamicGroup or orclDynamicList. The auxiliary object class orclDynamicGroup has various attributes in which you specify one of two methods for dynamically computing the membership of the group: using the labeledURI attribute and using a CONNECT BY assertion. The auxiliary object class orclDynamicList supports only the labeledURI attribute method of computing membership. The two methods of computing membership are: ■ Using the labeledURI attribute Both of the auxiliary object classes orclDynamicGroup and orclDynamicList have the labeledURI attribute. If you associate your group with orclDynamicGroup and use the labeledURI attribute to compute membership, the group is cached. If you associate your group with orclDynamicList and use the labeledURI attribute to compute membership, the group is not cached. This uncached type, using orclDynamicList objectclass, is referred to as a dynamic list. When using the labeledURI method, the directory server performs a typical search based on the hierarchy of the DIT. It requires you to provide a value for one of the attributes of the orclDynamicGroup or orclDynamicList object class, namely labeledURI. In this attribute, you specify the base of the query, the filters, and any required attributes. For example, suppose that you have entered the following value for the labeledURI attribute: labeledURI:ldap:host:portou=NewUnit,o=MyCompany,c=US??sub?objectclass=perso n When you use this method, a search for the entry returns entries for all members of the group. Do not set orclConnectByAttribute or orclConnectByStartingValue when using the labeledURI attribute method. Note: In the labeledURI attribute, the host:port section is present for syntax purposes alone. Irrespective of the host and port settings in the labeledURI attribute, the directory server always computes members of dynamic group from the local directory server. It cannot retrieve members from other directory servers. Managing Dynamic and Static Groups 14-5 ■ Using a CONNECT BY assertion Unlike the labeledURI attribute method, this method relies not on the hierarchy of the DIT, but on attributes that implicitly connect entries to each other, regardless of their location in the DIT. For example, the manager attribute connects the entries of employees with those of their managers, and this connection applies regardless of the location of the employee entries in the DIT. This method uses a CONNECT BY clause in which you specify the attribute to use for building the hierarchy—for example, manager—and the starting value for such a hierarchy—for example, cn=Anne Smith,cn=users,dc=example,dc=com. More specifically, to use this method, you specify in the orclDynamicGroup object class a value for each of the single-valued attributes in Table 14–1 . For example, to retrieve the entries of all employees who report to Anne Smith in the MyOrganizational Unit in the Americas, you would provide values for these attributes as follows: orclConnectByAttribute=manager orclConnectByStartingValue= cn=Anne Smith,ou=MyOrganizationalUnit,o=MyCompany,c=US Do not set labeledURI when using the CONNECT BY assertion method. You can also develop an application specifying that you want the values for a particular attribute—for example, the email attribute—of all the members. The following examples show the two kinds of dynamic group entries. Example: a Dynamic Group Entry Using the labeledURI Attribute The following is an example of a dynamic group entry using the labeledURI attribute. dn: cn=dgroup1 cn: dgroup1 See Also: The LDAP URL Format RFC 2255. T. Howes, M. Smith, December 1997. This RFC provides more information about how LDAP URLs are to be represented—as, for example, in the labeledURI attribute. It is available at http:www.ietf.org . See Also: Performing Hierarchical Searches in Oracle Fusion Middleware Application Developers Guide for Oracle Identity Management Table 14–1 orclDynamicGroup Attributes for Connect By Assertions Attribute Description orclConnectByAttribute The attribute that you want to use as the filter for the query—for example, manager. This attributed must be indexed. orclConnectByStartingValue The DN of the attribute you specified in the orclConnectByAttribute attribute—for example, cn=Anne Smith,cn=users,dc=example,dc=com See Also: Oracle Fusion Middleware Application Developers Guide for Oracle Identity Management for more information about how to develop applications that retrieve values for particular attributes 14-6 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory description: this is an example of a dynamic group labeleduri:ldap:hostname:7777ou=oid,l=amer,dc=oracle, dc=dgrptest??sub?objectclass=person objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top This group will have uniquemember values that are the DNs of all entries associated with the object class person in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest. Example: a Dynamic List Entry Using the labeledURI Attribute The following is an example of a dynamic list entry using the labeledURI attribute. Dynamic lists are not cached. It is the same as the previous example, except that the auxiliary object class is orclDynamicList instead of orclDynamicGroup dn: cn=dgroup1 cn: dgroup1 description: this is an example of a dynamic group labeleduri:ldap:hostname:7777ou=oid,l=amer,dc=oracle, dc=dgrptest??sub?objectclass=person objectclass: orcldynamiclist objectclass: groupOfUniqueNames objectclass: top This group will have uniquemember values that are the DNs of all entries associated with the object class person in the subtree ou=oid,l=amer,dc=oracle,dc=dgrptest. Searches for the uniquemember attribute, however, will not pick up dynamic lists Example: a Dynamic Group Entry Using the CONNECT BY Assertion The following is an example of a dynamic group entry that uses the CONNECT_BY assertion. dn: cn=dgroup2 cn: dgroup2 description: this is connect by manager assertion dynamic group orclconnectbyattribute: manager orclconnectbystartingvalue: cn=john doe sr,l=amer,dc=oracle,dc=dgrptest objectclass: orcldynamicgroup objectclass: groupOfUniqueNames objectclass: top This dynamic group has unique members with values that are DNs of all the entries whose manager attribute is cn=john doe sr. either indirectly or directly. If several individuals have cn=john doe JR. as their manager, and he, in turn, has cn=john doe SR. as his manager, then all the lower-level individuals are returned. Hierarchies Hierarchies can be either explicit or implicit. In explicit hierarchies, the relationship is determined by the location of the entry in the DIT—for example, Group A may reside higher in the DIT than Group B. In implicit hierarchies, the relationship between entries is determined not by the location in the DIT, but by the values of certain attributes. For example, suppose that you have a DIT in which the entry for John Doe is at the same level of the hierarchy as Anne Smith. However, suppose that, in the entry for John Doe, the manager attribute Managing Dynamic and Static Groups 14-7 specifies Anne Smith as his manager. In this case, although their locations in the DIT are at an equal level, their rankings in the hierarchy are unequal because Anne Smith is specified as John Does manager. Querying Group Entries An application can query either kind of group to do the following: ■ List all members of a group ■ List all groups of which a user is a member ■ Check to see if a user is a member of a particular group In addition, you can query dynamic groups, but not static ones, for whatever member attributes you specify. orclMemberOf Attribute orclMemberOf is a mutivalued attribute containing the groups to which the entry belongs. The groups in orclMemberOf include static groups and labeleduri-based dynamic groups. CONNECT BY assertion-based dynamic groups and dynamic lists are not included. The membership includes both direct groups and nested groups. For example, suppose Mary is a member of the static group directors and the group directors is a member of the static group managers. If you do a specific query for the attribute orclMemberOf on Marys DN, it will show the value: managers,directors The attribute values are computed during search and are not stored. This attribute cannot be used in search filters. orclMemberOf is not returned in a search unless explicitly requested by name. orclMemberOf has the aliases memberof and ismemberof for compatibility with Active Directory and Oracle Directory Server Enterprise Edition formerly Sun Java System Directory Server and SunONE iPlanet. Note: In a query based on an implicit hierarchy, the client can specify in the search request the control 2.16.840.1.113894.1.8.3. The filter in this query specifies the attribute used to build the implicit hierarchy. For example, manager=cn=john doe, o=foo specifies the query for all people reporting directly or indirectly to John Doe. The implicit hierarchy is based on the manager attribute. The base of the search is ignored for such queries. For more information on controls used by Oracle Internet Directory, see About LDAP Controls in Oracle Fusion Middleware Reference for Oracle Identity Management. See Also: The C API chapter in Oracle Fusion Middleware Application Developers Guide for Oracle Identity Management See Also: The GSL_REQDATTR_CONTROL entry under LDAP Controls in Oracle Fusion Middleware Reference for Oracle Identity Management. 14-8 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory When to Use Each Kind of Group When deliberating about which kind of group to use, you must weigh the ease of administration against higher performance. For example, dynamic groups provide for easier administration, but cause a decrease in performance. Table 14–2 lists some things to consider when deliberating whether to use static or dynamic groups. Managing Group Entries by Using Oracle Directory Services Manager You can manage static and dynamic group entries by using the Data Browser page in Oracle Directory Services Manager. You can display group entries, search for groups, and view groups using the procedures described in Managing Entries by Using Oracle Directory Services Manager on page 13-1. The procedures for creating and modifying groups are described in this section. This section contains the following topics: ■ Creating Static Group Entries by Using Oracle Directory Services Manager ■ Modifying a Static Group Entry by Using Oracle Directory Services Manager ■ Creating Dynamic Group Entries by Using Oracle Directory Services Manager ■ Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager Creating Static Group Entries by Using Oracle Directory Services Manager If the static group entry belongs to the groupOfNames object class, then you determine membership in the group by adding DNs to the multivalued attribute member. If the entry belongs to the groupOfUniqueNames object class, then you determine membership in the group by adding DNs to the multivalued attribute uniqueMember. To add a static group entry: See Also: Chapter 17, Managing Alias Entries. Table 14–2 Static and Dynamic Group Considerations Consideration Static Groups Dynamic Groups Ease of administration More difficult to administer if group memberships are large and change frequently Easier to use, especially when group memberships are large and change frequently Search Performance Higher level of performance because you explicitly administer the membership list Slightly decreased level of performance with dynamic groups using labeleduri, but almost same when compared to static groups, because memberships are cached. Decrease in performance with uncached groups, when compared to static groups and cached dynamic groups because memberships are computed as needed. Managing Dynamic and Static Groups 14-9 1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager on page 7-9.

2. From the task selection bar, select Data Browser.

3. On the toolbar, choose the Create a new entry icon. Alternatively, right click any

entry and choose Create. You can, alternatively, select a group that is similar to the one you want to create, then choose the Create a new entry like this one icon. Alternatively, right click any entry and choose Create. The Create New Entry wizard appears.

4. Specify the object classes for the new entry. Click the Add icon and use the Add

Object Class dialog to select either groupOfNames or groupOfUniqueNames. All the superclasses from this object class through top are also added. Click OK. 5. In the Parent of the entry field, you can specify the full DN of the parent entry of the entry you are creating. You can also click Browse to locate and select the DN of the parent for the entry you want to add, then click Select. If you leave the Parent of the entry field blank, the entry is created under the root entry.

6. Click Next.

7. Choose an attribute which will be the Relative Distinguished Name value for this

entry and enter a value for that attribute. You must enter a value for the cn attribute, even if it is not the RDN value.

8. Click Next. The next page of the wizard appears. Alternatively, you can click Back

to return to the previous page.

9. Click Finish.

10. To add an owner or member, navigate to the group entry you just created in the Data Tree.

11. Select the Group tab.

12. To add an owner to the group, click the Add icon next to the Owner box.

13. Enter the owners DN or click the button to select the entry you want to add as owner usually a user or group entry in the Select Distinguished Name Path dialog. Click OK. 14. To add a member to the group, click the Add icon next to the Members text box 15. Enter the members DN or click the button to select the entry you want to add as a member usually a user or group entry in the Select Distinguished Name Path dialog. Click OK. 16. Optionally, enter a description for the entry.

17. Choose Apply to apply your changes or choose Revert to abandon your changes.

18. To make other changes to the group entry, see Modifying a Static Group Entry by Using Oracle Directory Services Manager 14-10 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Modifying a Static Group Entry by Using Oracle Directory Services Manager To modify an attribute, such as the member list, for a group entry:

1. Select the group in the data tree.

2. To add or delete an owner or member, select the Group tab or the Attributes tab.

3. To add a member to the group, click the Add icon next to the Members text box.

4. Select the entry you want to add as a member usually a user or group entry in

the Select Distinguished Name Path dialog. Click OK. 5. To add an owner to the group, click the Add icon next to the Owners text box.

6. Select the entry you want to add as an owner usually a user or group entry in the

Select Distinguished Name Path dialog Click OK. 7. To delete an owner or member, select it in the list and click the Delete icon. 8. To add or modify an attribute other than an owner or member, select the Attributes tab.

9. By default, only non-empty attributes are shown. You can switch between

Managed Attributes and Show All by using the Views list.

10. To change the list of attributes shown as managed attributes, click the icon under

Optional Attributes . Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view.

11. Specify values for the optional properties. You can also modify the values of the

mandatory properties. For multivalued attributes, you can use the Add and Delete icons to add and delete multiple values.

12. Click Apply to save your changes or Revert to discard them.

13. You can set an access control point ACP on this entry by using the Subtree Access

and Local Access tabs. The procedures are described in Adding or Modifying an ACP by Using the Data Browser in ODSM on page 29-21 and Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM on page 29-21. Creating Dynamic Group Entries by Using Oracle Directory Services Manager Dynamic groups can have static and dynamic members. The static members are listed as values of the member or uniquemember attribute. If the dynamic group entry belongs to the groupOfNames object class, then add static members to the group by See Also: ■ Dynamic Groups on page 14-2 ■ Security Groups on page 29-4 ■ Globalization Support on page 3-15 Managing Dynamic and Static Groups 14-11 adding DNs to the multivalued attribute member. If the dynamic group entry belongs to the groupOfUniqueNames object class, then add static members to the group by adding DNs to the multivalued attribute uniqueMember. For dynamic groups, you must also set attributes to specify how the group membership is computed. You must choose either the labeledURI or the CONNECT BY method for dynamically computing membership in the group. You cannot use both methods. If you are using the labeledURI method, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. If you are using the CONNECT BY method, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute. To add a dynamic group entry: 1. Invoke Oracle Directory Services Manager and connect to the Oracle Internet Directory server as described in Invoking Oracle Directory Services Manager on page 7-9.

2. From the task selection bar, select Data Browser.

3. On the toolbar, choose Create a new entry. The Create New Entry wizard appears.

4. Specify the object classes for the new entry. Select at least the following object class entries. ■ Either groupOfNames or groupOfUniqueNames ■ orclDynamicGroup or orclDynamicList Use orclDynamicGroup for a cached dynamic group based on labeledURI or a dynamic group based on CONNECT BY. Use orclDynamicList for an uncached dynamic list based on labeledURI. Click the Add icon and use the Add Object Class dialog to select object class entries. Optionally, use the search box to filter the list of object classes. To add the object class, select it and then click OK. All the superclasses from this object class through top are also added.

5. In the Parent of the entry field, you can specify the full DN of the parent entry of

the entry you are creating. You can also click Browse to locate the DN of the parent for the entry you want to add, then click Select. If you leave the Parent of the entry field blank, the entry is created under the root entry.

6. Click Next.

7. Choose an attribute which will be the Relative Distinguished Name value for this

entry and enter a value for that attribute. You must enter a value for the cn attribute, even if it is not the RDN value.

8. Click Next. The next page of the wizard appears. Alternatively, you can click Back

to return to the previous page.

9. Click Finish.

10. To add an owner or member, navigate to the group entry you just created in the Data Tree. You might have to click the Refresh icon to see the new entry.

11. Select the Group tab.

12. To add an owner to the group, click the Add icon next to the Owner box.

14-12 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory 13. Select the entry you want to add as owner usually a user or group entry in the Select Distinguished Name Path dialog. Click OK. 14. To add a member to the group, click the Add icon next to the Members text box 15. Select the entry you want to add as a member usually a user or group entry in the Select Distinguished Name Path dialog. Click OK. 16. Optionally, enter a description for the entry.

17. Choose Apply to apply your changes or choose Revert to abandon your changes.

18. Select the Attributes tab.

19. You can switch between Managed Attributes and Show All by using the Views

list. 20. To change the list of attributes shown as managed attributes, click the icon under Optional Attributes . Select attributes you want to move from the All Attributes list to the Shown Attributes lists and use the Move and Move All arrows to move the attributes. Select attributes you want to move from the shown Attributes list to the All Attributes lists and use the Remove and Remove All arrows to move the attributes. Click Add Attributes to make your changes take effect or click Cancel to discard your changes. After you click Add Attributes, only the attributes that were on the Shown Attributes list are shown in the Managed Attributes view. 21. If you are using the labeledURI method for dynamically computing membership in the group, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. In the Attributes tab page, in the labeledURI field, specify the following: ldap:ldap_URL For example: ldap:my_host:3000ou=MyNeworganizationalUnit, o=MyCompany,c=US??sub?objectclass=person If you are using the CONNECT BY method for dynamically computing membership in the group, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute. In the orclConnectByAttribute field, specify the attribute that you want to use as the filter for the query—for example, manager. In the orclConnectByStartingValue field, specify the DN of the attribute you specified in the orclConnectByAttribute attribute—for example, cn=Anne Smith. For information about specifying the other attributes that appear in the Attributes tab page, see User and Group Schema Elements in Oracle Fusion Middleware Reference for Oracle Identity Management.

22. Click Apply to save your changes or Revert to discard them.

23. You can set an access control point ACP on this entry by using the Subtree Access and Local Access tabs. The procedures are described in Adding or Modifying an ACP by Using the Data Browser in ODSM on page 29-21 and Setting or Modifying Entry-Level Access by Using the Data Browser in ODSM on page 29-21. Managing Dynamic and Static Groups 14-13 Modifying a Dynamic Group Entry by Using Oracle Directory Services Manager Remember that you must choose either the labeledURI or the CONNECT BY method for dynamically computing membership in the group. You cannot use both methods. If you are using the labeledURI method, you must set the labeledURI attribute, but not the orclConnectByAttribute and orclConnectByStartingValue attributes. If you are using the CONNECT BY method, you must set the orclConnectByAttribute and orclConnectByStartingValue attributes, but not the labeledURI attribute. To modify an attribute for a dynamic group entry, proceed as for a static group entry, as described in Modifying a Static Group Entry by Using Oracle Directory Services Manager on page 14-10. You can add static members to a dynamic group, but you are not required to do so. Managing Group Entries by Using the Command Line You can manage static and dynamic groups from the command line by using LDAP tools. This section contains the following topics: ■ Creating a Static Group Entry by Using ldapadd ■ Modifying a Static Group by Using ldapmodify ■ Creating a Dynamic Group Entry by Using ldapadd ■ Modifying a Dynamic Group by Using ldapmodify Creating a Static Group Entry by Using ldapadd The syntax for the LDIF file is: dn: DN_of_group_entry objectclass: top objectclass: groupOfNames | groupOfUniqueNames member: DN of member 1 member: DN of member 2 . . . member: DN of member N The following command adds the group and members in this LDIF file to the directory: ldapadd -p port_number -h host -D cn=orcladmin -q -f file_name.ldif See Also: ■ Dynamic Groups on page 14-2 ■ Security Groups on page 29-4 ■ Globalization Support on page 3-15 Notes: ■ When you create a group, specifying members is optional and is shown here for the sake of completeness. ■ It is uncommon to have dynamic groups with static membership.