---
title: Creating nested groups
description: PingDirectory server supports nested groups where the distinguished name (DN) of an entry that defines a group is included as a member in the parent entry.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_create_nested_groups
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_create_nested_groups.html
revdate: May 10, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
  example-4: Example:
  example-5: Example:
---

# Creating nested groups

PingDirectory server supports nested groups where the distinguished name (DN) of an entry that defines a group is included as a member in the parent entry.

## About this task

The following example shows a nested static group, such as `cn=Engineering Group`, that has `uniquemember` attributes consisting of other groups, such as `cn=Developers Group` and the `cn=QA Group` respectively.

```
dn: cn=Engineering Group,ou=Groups,dc=example,dc=com
objectclass: top
objectclass: groupOfUniqueNames
cn: Engineering Group
uniquemember: cn=Developers,ou=Groups,dc=example,dc=com
uniquemember: cn=QA,ou=Groups,dc=example,dc=com
```

By default, nested group support is enabled on the PingDirectory server.

The PingDirectory server uses a group cache to support nested groups without the performance hit. The cache supports static group nesting that includes other static, virtual static, and dynamic groups. The server provides a new monitoring entry for the group cache, `cn=Group Cache,cn=Monitor`.

In practice, nested groups are not commonly used for the following reasons:

* LDAP specifications do not directly address the concept of nested groups, and some servers do not provide any level of support for them.

* Supporting nested groups in LDAP clients is not trivial, and many PingDirectory server-enabled applications that can interact with groups do not provide any support for nesting.

|   |                                                                                                                                                                                                                                                                                                                                        |
| - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Disable this support if:* Nesting support is not needed in your environment.

* Nesting support is only required for clients but is not needed for server-side evaluation, such as for groups used in access control rules, criteria, virtual attributes, or other ways that the server might need to make a membership determination. |

To create nested static groups:

## Steps

1. Open a text editor, and create a group entry in LDIF.

   1. Include the `groupOfUniquenames` object class and `uniquemember` attributes.

   2. If you did not have `ou=groups` set up in your server, then add it in the same file.

   3. Save the file as `nested-group.ldif`.

      Assume that the static groups, `cn=Developers Group` and `cn=QA Group`, have been configured.

      ### Example:

      The following example shows how to set up a nested static group, which is a static group that contains `uniquemember` attributes whose values contain other groups (static, virtual static, or dynamic).

      ```
      dn: ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: organizationalunit
      ou: groups

      dn: cn=Engineering Group,ou=groups,dc=example,dc=com
      objectclass: top
      objectclass: groupOfUniqueNames
      cn: Engineering Group
      uniquemember: cn=Developers,ou=groups,dc=example,dc=com
      uniquemember: cn=QA,ou=groups,dc=example,dc=com
      ```

2. To add the group entry, use `ldapmodify`.

   ### Example:

   ```shell
   $ bin/ldapmodify --defaultAdd --filename nested-static-group.ldif
   ```

3. Using the `isMemberOf` virtual attribute that checks the group membership for an entry, verify the configuration.

   By default, the virtual attribute is enabled. Use `ldapsearch` to specifically search the `isMemberOf` virtual attribute to determine if `uid=user.14` is a member of the `cn=Development` group.

   ### Example:

   In this example, assume that the administrator has the privilege to view operational attributes.

   ```shell
   $ bin/ldapsearch --baseDN dc=example,dc=com "(uid=user.14)" isMemberOf

   dn: uid=user.14,ou=People,dc=example,dc=com
   isMemberOf: cn=Development,ou=groups,dc=example,dc=com
   ```

4. In a text editor, create an Access control instruction (ACI) in LDIF. Save the file as `eng-group-aci.ldif`.

   |   |                                   |
   | - | --------------------------------- |
   |   | Use the group as a target in ACI. |

   ### Example:

   ```
   dn: ou=People,dc=example,dc=com
   changetype: modify
   add: aci
   aci: (target ="ldap:///ou=People,dc=example,dc=com")
     (targetattr != "cn || sn || uid")
     (targetfilter ="(ou=Engineering Group)")
     (version 3.0; acl "Engineering Group Permissions";
       allow (write) (groupdn = "ldap:///cn=Engineering Group,ou=groups,dc=example,dc=com");)
   ```

5. Add the file using the `ldapmodify` tool.

   ### Example:

   ```shell
   $ bin/ldapmodify --filename eng-group-aci.ldif
   ```

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | When nesting dynamic groups, you cannot include other groups as members of a dynamic group. You can only support nesting by including the members of another group with a filter in the member URL. For example, if you have two groups, `cn=dynamic1` and `cn=dynamic2`, you can nest one group in another by specifying it in the member URL.```
   cn=dynamic1,ou=groups,dc=example,dc=com
   objectClass: top
   objectClass: groupOfURLs
   memberURL: ldap:///dc=example,dc=com??sub?(isMemberOf=cn=dynamic2,ou=groups,dc=example,dc=com)
   ```The members included from the other group using this method are not considered nested members and are returned even when using `isDirectMemberOf` when retrieving the members. |