---
title: Creating virtual static groups
description: If your application only supports static groups but has scalability issues, using a virtual static group is a possible solution.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_create_virtual_static_groups
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_create_virtual_static_groups.html
revdate: May 10, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  example-3: Example:
  example-4: Example:
  example-5: Example:
  result: Result:
  example-6: Example:
  result-2: Result:
---

# Creating virtual static groups

If your application only supports static groups but has scalability issues, using a virtual static group is a possible solution.

## About this task

A virtual static group uses a virtual attribute that is dynamically generated when called after which the operations that determine group membership are passed to another group, such as a dynamic group. You must use the `ds-virtual-static-group` object class and the `ds-target-group-dn` virtual attribute.

Virtual static groups are best used when determining if a single user is a member of a group. Do not use it if an application accesses the full list of group members because of the performance expense at constructing the list.

|   |                                                                                                                                                                                                                                               |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If you have a small database and an application that requires that the full membership list be returned, enable the `allow-retrieving-membership` property for the Virtual Static `uniqueMember` virtual attribute using the `dsconfig` tool. |

To create a virtual static group:

## Steps

1. In a text editor, create a group entry in LDIF, and then save the file.

   ### Example:

   In this example, the entry contains the `groupOfUniqueNames` object class, but in place of the `uniquemember` attribute is the `ds-target-group-dn` virtual attribute, which is part of the `ds-virtual-static-group` auxiliary object class.

   In this example, the file is named `add-virtual-static-group.ldif`.

   ```
   dn: cn=virtualstatic,ou=groups,dc=example,dc=com
   objectclass: top
   objectclass: groupOfUniqueNames
   objectclass: ds-virtual-static-group
   ou: groups
   cn: virtual static
   ds-target-group-dn: cn=eng-staff,ou=groups,dc=example,dc=com
   ```

2. To add the virtual static group entry to the server, use the `ldapmodify` tool.

   ### Example:

   ```shell
   $ bin/ldapmodify -h server1.example.com -p 389 -D "uid=admin,dc=example,dc=com" \
     -w password -a -f add-virtual-static-group.ldif
   ```

3. To enable the Virtual Static `uniqueMember` attribute, use the `set-virtual-attribute-prop` option with `dsconfig`.

   |   |                                        |
   | - | -------------------------------------- |
   |   | This attribute is disabled by default. |

   ### Example:

   ```shell
   $ bin/dsconfig set-virtual-attribute-prop --name "Virtual Static uniqueMember" \
     --set enabled:true
   ```

4. To determine if a user is part of a virtual static group, use `ldapsearch`.

   ### Example:

   In [Creating dynamic groups](pd_ds_create_dynamic_groups.html), the example sets up `uid=user.0` to be part of the `cn=eng-staff` dynamic group. This example determines if `uid=user.0` is part of the virtual static group using the `isMemberOf` virtual attribute.

   ```shell
   $ bin/ldapsearch -h server1.example.com -p 389 -D "cn=Directory Manager" \
     -w secret -b dc=example,dc=com" "(uid=user.0)" isMemberOf
   ```

   ### Example:

   The following example determines if `uid=user.0` is part of the virtual static group without using the `isMemberOf` virtual attribute in the `ldapsearch`.

   ```shell
   $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
     -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \
     "(&(objectclass=groupOfUniqueNames) \
     (uniquemember=uid=user.0,ou=People,dc=example,dc=com))"
   ```

   ### Result:

   Using the `isMemberOf` virtual attribute returns the following.

   ```
   dn: uid=user.0,ou=People,dc=example,dc=com
   isMemberOf: cn=virtualstatic,ou=groups,dc=example,dc=com
   isMemberOf: cn=eng-staff,ou=groups,dc=example,dc=com
   ```

   |   |                                                                     |
   | - | ------------------------------------------------------------------- |
   |   | You should see the returned `cn=virtualstatic` entry if successful. |

5. (Optional) To try searching for a user that is not part of the `cn=eng-staff` dynamic group, use `ldapsearch`.

   ### Example:

   This example searches for `uid=user.20`.

   ```shell
   $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -w password \
     -b "cn=virtualStatic,ou=Groups,dc=example,dc=com" \
     "(&(objectclass=groupOfUniqueNames) \
     (uniquemember=uid=user.20,ou=People,dc=example,dc=com))"
   ```

   ### Result:

   No entries are returned.