Understanding local groups

A local group is a security group that is defined in the Content Cortex domain and controlled by the domain administrators instead of in an external LDAP service. Controlling authorization with a local group gives you the flexibility to create and assign members to access groups without requiring updates to the LDAP repository.
A local group can be used in the same way as an LDAP defined group:
  • As the grantee of a permission
  • For membership in a role

The Content Cortex domain administrator specifies the members of a local group. The members can be users and groups drawn from any LDAP security realm, users from a managed realm that are controlled by an identity provider, or other local groups (group nesting). Because local groups are defined independently from the user management mechanism, the process enables access control by the Content Cortex administrators and free from the constraints that often apply to using LDAP-defined groups or other user management methods.

Enabling local groups

The local groups feature is not enabled when you first create a domain or when you upgrade from an earlier release. You must enable the capability before you can start creating and using local groups.

To enable local groups, use the API or the Administration Console for Content Platform Engine to set the domain property LocalGroupsEnabled to true.

In addition to enabling the creation and management of local groups, setting this property to true also creates a new security realm through which users who are managing security can search for local groups. This realm has the name “dc=LocalGroups” and it displays as a choice for where to search in security dialogs in both the Administration Console for Content Platform Engine and IBM® Content Navigator.

Creating and managing local groups

A local group is represented by an instance of the CmLocalGroup class, which can be manipulated using standard API mechanisms or through the Administration Console for Content Platform Engine.

Local groups have a short name, defined by the GroupName property, and a display name, defined by the DisplayName property. The GroupName value must conform to the rules for symbolic names and must be unique among the short names of any user or group from any security realm.

The members of a local group are defined through a set of CmLocalGroupMember objects listed in the LocalGroupMembers property of the local group object. Each of these is simply a reference to the User or Group object that represents the member.

For each local group object a corresponding Group object is created within the local groups security realm, with ShortName and DistinguishedName properties that are determined as follows:
ShortName
Matches the GroupName property of the local group object.
DistinguishedName
Takes the form "cn=<GroupName value>,dc=LocalGroups"

Local group objects can be retrieved by name or ID, but there is no method for directly searching for such objects. Instead, you must search the local groups security realm to retrieve the Group objects that correspond to the local groups of interest. You can then use the Group objects to fetch the local group objects.

Using local groups

Use local groups to control access in the same what that you use other types of groups, for example:
  • To grant access to a local group, specify the distinguished name of the group as the GranteeName of the permission object.
  • To assign membership of a static role to a local group, add a CmRolePrincipalMember instance to the RoleMembers list of the static role, with the MemberPrincipal property of the member object having a reference to the Group object for the local group in question.