Static groups

Edit online

A static group defines each member individually using the structural objectclass groupOfNames, groupOfUniqueNames, accessGroup, or accessRole; or the auxiliary objectclass ibm-staticgroup or ibm-globalAdminGroup.

A static group using the structural objectclasses groupOfNames and groupOfUniqueNames require at least one member or uniqueMember, respectively.

IBM® Security Directory Server enforces partial referential integrity for static groups. Referential integrity is a database concept that ensures relationships between tables remain consistent.When a static group is added into the directory, the members need not exist in the directory. However, when an object is deleted from the directory, all static groups that have this object as a member are updated automatically to remove this object from their lists of members. In addition, when an object is renamed in the directory, all static groups and nested groups that have this object as a member are updated automatically to rename this object in their lists of members.

Note: This concept does not apply to dynamic groups because dynamic groups are search-based. The deletion of an object from the directory automatically causes it to be excluded from the search results.

A typical group entry is:

DN: cn=Dev.Staff,ou=Austin,o=sample
objectclass: accessGroup
cn: Dev.Staff 
member: cn=John Doe,ou=Austin,o=sample
member: cn=Jane Smith,ou=Austin,o=sample
member: cn=James Smith,ou=Austin,o=sample

Each group object contains a multivalued attribute consisting of member DNs.

Upon deletion of an access group, the access group is also deleted from all ACLs to which it has been applied.

Note: Referential integrity results in updates to the modifyTimeStamp of the group entry to which a member belongs. In a replication environment, ldap operations of type deletion, modrdn, or movement of a member entry from one tree to another invokes referential integrity on both Master (Supplier) and Replica (Consumer). To avoid any replication conflict that may arise because of group entries on master and replica bearing different timestamp values, the modifyTimeStamp of the affected group is set to the value of the modifyTimeStamp of the member entry that was affected in the last operation, subject to the modifyTimeStamp of the last operation being later than the existing modifyTimeStamp of the group.