--- title: About the isMemberOf and isDirectMemberOf virtual attribute description: PingDirectory server can generate either isMemberOf or isDirectMemberOf virtual attributes in user entries. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_ismemberof_isdirectmemberof_virtual_attrs canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_ismemberof_isdirectmemberof_virtual_attrs.html revdate: September 13, 2023 section_ids: the-rewrite-search-filters-ismemberof-configuration-property: The rewrite-search-filters isMemberOf configuration property determine-if-a-user-is-a-member-of-a-specified-group: Determine if a user is a member of a specified group determine-the-set-of-all-groups-in-which-a-user-is-a-member: Determine the set of all groups in which a user is a member determine-the-set-of-all-members-for-a-specified-group: Determine the set of all members for a specified group --- # About the isMemberOf and isDirectMemberOf virtual attribute PingDirectory server can generate either `isMemberOf` or `isDirectMemberOf` virtual attributes in user entries. The existence of static, nested, dynamic, and virtual static groups can make it complex to work with groups in the server because the ways you interact with them are so different. Static groups can use three different structural object classes, not counting the auxiliary class for virtual static groups, which can further complicate things. PingDirectory server's virtual attributes simplify the group-related determination process for consistency across all types of groups. The value of the `isMemberOf` virtual attribute is a list of distinguished names (DNs) of all groups, including static, nested, dynamic, and virtual static groups, in which the associated user is a member. The value of the `isDirectMemberOf` virtual attribute is a subset of the values of `isMemberOf`, which represents the groups for which the entry is an explicit or direct member. Both are enabled by default. Because `isMemberOf` and `isDirectMemberOf` are operational attributes, only users who have been granted the privilege can see them. The default set of access control rules do not allow any level of access to user data. The only access that is granted is what is included in user-defined access control rules, which is generally given to a `uid=admin` administrator account. You should restrict access to operational and non-operational attributes to the minimal set of users that need to see them. The root bind DN, `cn=Directory Manager`, has the privilege to view operational attributes by default. ## The `rewrite-search-filters` `isMemberOf` configuration property The `rewrite-search-filters` property allows `isMemberOf` searches targeting dynamic groups to be processed more efficiently because you can substitute the filter of the dynamic group into the original search filter. This speeds up paged searches across a large dynamic group. The following table shows the three possible settings for the `rewrite-search-filters`. | Setting | Description | | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `always` | Always enhance search filters to include the dynamic group filter components. This often speeds up searches on dynamic groups, but in rare cases can make search processing slower. An example is if the dynamic group filter matches many entries, but the dynamic group base distinguished name (DN) and scope do not. | | `within-group-scope` | The default value. Enhances search filters to include dynamic group filter components only when the base DN and scope of the dynamic group. Although this doesn't improve performance for search requests whose scope is larger than that of the dynamic group, it should never lead to slower dynamic group search processing | | `never` | Never enhance search filters to include the dynamic group filter components. | To use the `rewrite-search-filters` configuration property: * To set the `rewrite-search-filters` configuration property to the desired setting, run `dsconfig`. ``` dsconfig set-virtual-attribute-prop --name isMemberOf --set rewrite-search-filters: ``` * To optionally keep the server from archiving configurations where only this attribute is changing, you can declare the `rewrite-search-filter` attribute as insignificant by running `dsconfig`. ``` dsconfig set-backend-prop --backend-name config --add insignificant-config-archive-attribute:ds-cfg-rewrite-search-filters ``` ## Determine if a user is a member of a specified group To determine if a user is a member of a specified group using the `isMemberOf` virtual attribute, perform a base-level search against the user's entry with an equality filter targeting the `isMemberOf` attribute with a value that is the DN of the target group. The following table illustrates this base-level search. | Search Parameter | Value | | -------------------- | -------------------------------------------------------- | | Base DN | `uid=john.doe,ou=People,dc=example,dc=com` | | Scope | `base` | | Filter | `(isMemberOf=cn=Test Group,ou=Groups,dc=example,dc=com)` | | Requested Attributes | `1.1` | If this search returns an entry, then the user is a member of the specified group. If no entry is returned, then the user is not a member of the given group. ## Determine the set of all groups in which a user is a member To determine the set of all groups in which a user is a member, retrieve the user's entry with a base-level search and include the `isMemberOf` attribute. | Search Parameter | Value | | -------------------- | ------------------------------------------ | | Base DN | `uid=john.doe,ou=People,dc=example,dc=com` | | Scope | `base` | | Filter | `(objectclass=*)` | | Requested attributes | `isMemberOf` | ## Determine the set of all members for a specified group To determine the set of all members for a specified group, issue a subtree search with an equality filter targeting the `isMemberOf` attribute with a value that is the DN of the target group and requesting the attributes you wish to have for member entries. | Search Parameter | Value | | -------------------- | -------------------------------------------------------- | | Base DN | `ou=People,dc=example,dc=com` | | Scope | `sub` | | Filter | `(isMemberOf=cn=Test Group,ou=Groups,dc=example,dc=com)` | | Requested Attributes | `cn, mail` | The `isDirectMemberOf` virtual attribute can be used in the previous examples in place of `isMemberOf` if you only need to find groups that users are an actual member of. You must use `isMemberOf` for nested group membership. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If this filter targets a dynamic group using an unindexed search, then this might be an expensive operation. However, it is not more expensive than retrieving the target group and then issuing a search based on information contained in the member URL. | For static groups, this approach has the added benefit of using a single search to retrieve information from all user entries. Otherwise, it would be required to retrieve the static group and then perform a separate search for each member's entry.